Russian Ransomware Group Breached Federal Agencies

Homeland Security officials say that the Department of Energy, along with several other federal agencies, was compromised by a Russian cyberextortion group’s global hack of an application popular among corporations and governments. However, Homeland Security officials do not expect this to have a significant impact.

The hacking of Thursday was having a serious impact on some of the victims, including those of two state motor vehicle agencies and others who could have been hundreds.

Jen Easterly of the Cybersecurity and Infrastructure Security Agency told reporters that this hacking campaign was relatively short, superficial and detected quickly, unlike the months-long, meticulous SolarWinds campaign that had been attributed to Russian intelligence agents backed by the Russian state.

Easterly stated that “based on discussions with industry partners, these intrusions were not used to gain access to broader systems, gain persistence in targeted systems, or steal specific high-value information.”

She added, “Although this campaign is very concerning and we are working to resolve it urgently, this isn’t a campaign similar to SolarWinds which presents a risk systemic to our national network or security.”

Senior CISA officials said that neither the U.S. intelligence community nor military was affected. Energy Department spokesperson Chad Smith stated that two agencies were compromised, but didn’t provide any further details.

To date, victims include the Office of Motor Vehicles in Louisiana, Oregon’s Department of Transportation and the Nova Scotia Provincial Government. British Airways, British Broadcasting Company, and U.K. drugstore Boots are also known. Businesses use MOVEit to share files securely. Security experts warn that this can include sensitive insurance and financial data.

Officials in Louisiana said that personal information of people who have a Louisiana driver’s licence or vehicle registration was likely exposed. This included the person’s name, birthdate, Social Security Number, and address. Louisiana residents were encouraged to freeze their credit in order to protect themselves from identity theft.

The Oregon Department of Transportation announced Thursday that attackers gained access to personal information, including some of it sensitive, of about 3.5 millions people who received driver’s licences or identity cards from the state.

Cl0p, the ransomware group behind the hack, announced on its dark-web site last week that the victims of the hack, which it estimated to be in the hundreds, only had until Wednesday to contact them to negotiate a payment or risk their stolen data being posted online.

The group, which is one of the most prolific cybercrime syndicates in the world, claimed that it would also delete all data stolen from government, city and police departments.

Cl0p did not leak any data or extortion requests from affected federal agencies. The official spoke on condition of anonymity in order to discuss the breach.

The official stated that the U.S. officials have “no evidence” to suggest any coordination between Cl0p, the Russian government and U.S. officials.

Progress Software, the parent company of MOVIEit’s U.S. manufacturer, alerted its customers on May 31, and released a patch. Cybersecurity researchers claim that by May 31, sensitive data could have been quietly accessed in scores, if not hundreds, of companies.

The senior CISA official stated that “at this point we are seeing estimates from the industry of several hundred victims across the nation.” Federal officials encourage victims to come forward but they don’t always do so. In the United States, there is no federal law governing data breaches. State laws vary in their disclosure. Publicly traded companies, health care providers, and some critical infrastructure suppliers do have regulatory requirements.

SecurityScorecard, a cybersecurity firm, says that it has detected 2,500 MOVEit servers vulnerable across 790 organizations including 200 government agencies. The firm said that it could not break down the agencies by country.

According to federal contracting information, the Office of the Comptroller of the Currency at the Treasury Department uses Moveit. Stephanie Collins, spokeswoman for the Treasury Department, said that the agency is aware of the hacking and has been closely monitoring the situation. She said that the agency was conducting a detailed forensics analysis of the system activity, and had not found any signs of a breach involving sensitive information.

Jared Smith, a SecurityScorecard threat expert, said that hackers had been actively searching for targets and penetrating those targets to steal data as early as March 29.

Cl0p is not the first to breach a file transfer program in order to obtain data that it can then use to extort businesses. Other examples include GoAnywhere servers early in 2023 and Accellion Device File Transfer Application devices between 2020 and 2021.

The Associated Press emailed CL0p on Friday asking which government agencies they had hacked. The gang did not get a reply, but posted a message on their dark web site saying that: “We received a lot emails about government information, we do not have it, we have deleted this data we are only concerned with business.”

Cl0p criminals cannot be trusted, say cyber security experts. Allan Liska, of the firm Recorded Future, has stated that he knows of at least three instances in which ransomware criminals have stolen data and then posted it on the dark internet six to ten months after the victims paid the ransom.

Newsmax.com