CNN
—
Several US federal government agencies have been hit in a global cyberattack by Russian cybercriminals that exploits a vulnerability in widely used software, according to a US cybersecurity agency.
The US Cybersecurity and Infrastructure Security Agency “is supporting several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement Thursday on CNN, referring to the affected software. . “We are working urgently to understand the impacts and ensure timely remediation.”
Aside from US government agencies, “several hundred” companies and organizations in the US could be affected by the hack, a senior CISA official told reporters on Thursday, citing estimates from private experts.
Clop, the ransomware gang allegedly responsible, is known to demand multi-million dollar ransoms. But no bailout demands have been made to federal agencies, the senior official told reporters at a background briefing.
CISA’s response comes as Progress Software, the US company that makes the software exploited by the hackers, said it had discovered a second vulnerability in code that the company was working to fix.
The Department of Energy is among multiple federal agencies breached in the ongoing global hacking campaign, a department spokesman confirmed to CNN.
Hackers have had no “significant impact” on federal civilian agencies, CISA Director Jen Easterly told reporters, adding that hackers have been “largely opportunistic” in use the software flaw to break into networks.
The news adds to a growing number of victims of a hacking campaign that began two weeks ago and has hit major universities and state governments in the United States. The hack increases pressure on federal officials who have vowed to crack down on the scourge of ransomware attacks that have crippled US schools, hospitals and local governments.
Since late last month, hackers have been exploiting a flaw in widely used software known as MOVEit that companies and agencies use to transfer data. Progress Software, the US company that makes the software, told CNN on Thursday that a new vulnerability had been discovered in the software “that could be exploited by a bad actor”.
“We have communicated with customers about the steps they should take to further secure their environments and have also taken MOVEit Cloud offline while we urgently work to fix the issue,” the company said in a statement.
Agencies were much quicker on Thursday to deny that they had been affected by the hack than to confirm that they had been. The Transportation Security Administration and the State Department said they were not victims of the hack.
The Energy Department “took immediate action” to mitigate the impact of the hack after learning that the records of two “entities” within the department had been compromised, a department spokesman said.
“The Department has notified Congress and is working with law enforcement, CISA and affected entities to investigate the incident and mitigate the impacts of the breach,” the spokesperson said in a statement.
One of the Energy Department’s victims is Oak Ridge Associated Universities, a nonprofit research center, a department spokesman told CNN. The other victim is a contractor affiliated with the department’s waste isolation pilot plant in New Mexico, which disposes of waste associated with atomic energy, the spokesman said.
Federal News Network first reported on the Department of Energy casualties.
Johns Hopkins University in Baltimore and the university’s famed health system said in a statement this week that “sensitive personal and financial information,” including health billing records, may have been stolen in the hack.
Meanwhile, the State University System of Georgia, which encompasses the 40,000-student University of Georgia along with more than a dozen other state colleges and universities, confirmed it was investigating the “scope and severity” of the hack .
Last week, CLOP claimed credit for some of the hacks, which have also hit employees of the BBC, British Airways, oil giant Shell and the state governments of Minnesota and Illinois, among others.
Russian hackers were the first to exploit the MOVEit vulnerability, but experts say other groups may now have access to the software code needed to carry out attacks.
The ransomware group had given victims until Wednesday to contact them to pay a ransom, after which they began listing more alleged victims of the hack on their dark web extortion site. As of Thursday morning, the dark website did not list any US federal agencies. Instead, the hackers wrote in all caps: “If you’re a government, city or police service, don’t worry, we’ve deleted all your data. You don’t need to contact us. We have no interest in exposing this information.”
The CLOP ransomware group is one of several Eastern European and Russian gangs that focus almost exclusively on wiping out their victims for as much money as possible.
“The activity we’re seeing right now, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” Rafe Pilling, director of threat research at Dell-owned Secureworks. .
This story has been updated with additional news.