A Russian ransomware group gained access to data from federal agencies, including the Department of Energy, in an attack that exploited file transfer software to steal and sell user data, US officials said Thursday.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the breach as largely “opportunistic” and not focused on “specific high-value information” or as damaging as previous cyberattacks on government agencies in USA
“Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” Easterly told reporters on Thursday, referring to the mass breach that compromised multiple US intelligence agencies in 2020. .
The Energy Department said Thursday that the records of two entities within the department had been compromised and that it had notified Congress and CISA of the breach.
“DOE took immediate action to prevent further exposure to the vulnerability,” said Chad Smith, deputy press secretary for the Department of Energy.
Representatives for the State Department and the FBI declined to comment on whether their agencies were affected.
Based on an assessment by CISA and FBI investigators, Easterly said, the breach was part of a larger ransomware operation carried out by Clop, a Russian ransomware gang that exploited a vulnerability in MOVEit software and attacked a variety of local governments, universities and corporations. .
Earlier this month, public officials in Illinois, New Scotland and London revealed that they were among the software users affected by the attack. British Airways and the BBC said they were also affected by the breach. Johns Hopkins University, the University System of Georgia and European oil and gas giant Shell have issued similar statements about the attack.
A senior CISA official said only a small number of federal agencies had been affected, but declined to identify which ones. But, the official added, initial reports from the private sector suggested that at least several hundred companies and organizations had been affected. The official spoke on condition of anonymity to discuss the attack.
According to data compiled by the company GovSpend, several government agencies have purchased the MOVEit software, including NASA, the Treasury Department, Health and Human Services, and arms of the Department of Defense. But it wasn’t clear how many agencies were actively using it.
Clop previously claimed responsibility for the earlier wave of breaches on his website.
The group stated that it had “no interest” in exploiting any data stolen from government or law enforcement offices and had removed it, focusing only on stolen business information.
Robert J. Carey, president of cybersecurity firm Cloudera Government Solutions, noted that data stolen in ransomware attacks can easily be sold to other illegal actors.
“Anyone using this is probably compromised,” he said, referring to the MOVEit software.
The revelation that federal agencies were also among those affected was previously reported by CNN.
A representative for MOVEit, which is owned by Progress Software, said the company had “engaged with federal law enforcement and other agencies” and would “combat increasingly sophisticated and persistent cybercriminals who attempt to maliciously exploit vulnerabilities in widely used software products. The company originally identified the vulnerability in its software in May, issued a patch, and CISA added it to its on-line catalogue of known vulnerabilities on June 2.
When asked about the possibility that Clop was acting in coordination with the Russian government, the CISA official said the agency had no evidence to suggest such coordination.
The MOVEit breach is another example of government agencies falling victim to cybercrime organized by Russian groups, as ransomware campaigns aimed primarily at Western targets have repeatedly shut down critical civilian infrastructure, including hospitals, power systems, and city services.
Historically, some attacks appear to be primarily financially motivated, such as when as many as 1,500 companies worldwide were attacked by Russian ransomware in 2021.
But in recent months, Russian ransomware groups have also engaged in ostensibly political attacks with the tacit approval of the Russian government, targeting countries that have supported Ukraine since Russia invaded last year.
Shortly after the invasion, 27 government institutions in Costa Rica came under ransomware attacks by another Russian group, Conti, forcing the country’s president to declare a national state of emergency.
Cyberattacks originating from Russia were already a point of contention in US-Russia relations before the war in Ukraine. The issue was high on the White House agenda when President Biden met with President Vladimir V. Putin of Russia in 2021.
A ransomware attack on one of the largest gasoline pipelines in the United States by a group believed to be in Russia forced the pipeline operator to pay $5 million to recover the stolen data just a month before it Biden and Putin meet. Federal investigators later said they recovered much of the ransom in a cyber operation.
Also Thursday, analysts at cybersecurity firm Mandiant identified an attack against Barracuda Networks, an email security provider, which they said appeared to be part of a Chinese spying effort. That breach also affected a variety of government and private organizations, including the ASEAN Ministry of Foreign Affairs and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in his report.
