The US Department of Energy and other federal agencies have fallen victim to a series of cyberattacks by the Russian ransomware gang Clop, which exploited the MOVEit file-transfer vulnerability. Jen Easterly, director of the US government's Cybersecurity and Infrastructure Security Agency (CISA), stated in a briefing on Thursday, "Since the vulnerability was disclosed, we have been working closely with Progress Software, with the FBI, and with our federal partners to understand prevalence within federal agencies." She also added, "We are now providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications."
Earlier this month, CISA and the FBI reported that Clop had taken advantage of a security hole in MOVEit to steal documents from vulnerable networks. Despite the group starting to leak victims' names, they appear to be keeping their promise not to publish any stolen government data. Easterly said, "We are not aware of Clop actors threatening to extort, or release any data stolen from government agencies." She also emphasized that this campaign does not present a systemic risk to national security or the nation's network like the SolarWinds attack.
CISA officials did not disclose which government agencies were compromised but confirmed that no military branches were affected. MOVEit, a suite of software developed by Progress Software, is utilized in various industries, including banking and healthcare, for sharing and managing documents. An SQL-injection flaw within the code can be exploited to gain control of a vulnerable MOVEit deployment and steal data from that installation. Clop has widely abused this vulnerability to extract information from victims and hold that data for ransom. The US Department of Energy confirmed that Clop had accessed its data as part of this widespread attack.
The break-ins have been described as "opportunistic" rather than attempts to steal high-value information. The majority of the attacks occurred shortly after Progress Software disclosed the bug in its file-transfer application. Easterly explained, "As far as we know, these actors are only stealing information that is specifically stored on your file transfer application at the precise time that the intrusion occurred." She also said that the attacks are not being leveraged to gain broader access, persistence into targeted systems, or to steal specific, high-value information.
Progress Software initially disclosed some information about the SQL-injection vulnerability in its multi-tool file-transfer product on May 31, warning that exploitation "could lead to escalated privileges and potential unauthorized access to the environment." The vendor issued a patch for the bug a day later, but the mass exploitation and broad data theft were already well underway. Last Friday, security researchers discovered more MOVEit vulnerabilities.
Clop has demanded corporate victims pay a ransom or else it will name them and leak any private information that was exfiltrated. While CISA and the FBI have also attributed the intrusions to Clop, a senior CISA official stated there is no evidence of any coordination between Clop and the Kremlin in the MOVEit attacks. The full scope of the attacks may not be known for weeks, but several victims have already come forward, alerting their customers, staff, and patients that their private data may have been stolen. This includes government agencies, such as the Minnesota Department of Education in the US, the UK's telco regulator Ofcom, and Canadian province Nova Scotia's health authority, as well as high-profile corporations like British Airways, the BBC, and the Boots pharmacy chain.