A global cyberattack has impacted “several” U.S. federal agencies by exploiting a vulnerability in widely used software. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) made a statement on Thursday indicating they are assisting agencies affected by the hacking activities.

CISA’s Response

CISA Executive Assistant Director for Cybersecurity Eric Goldstein said:

(CISA) is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications.

He added:

We are working urgently to understand impacts and ensure timely remediation.

It remains unclear if the hackers responsible for breaching the federal agencies are the same Russian-speaking ransomware group that has claimed credit for other victims in the ongoing hacking campaign. When questioned about the hack’s perpetrators and the number of affected agencies, a CISA spokesperson declined to comment.

Earlier this month, CISA included a recently exploited security flaw in the Progress MOVEit Transfer managed file transfer (MFT) solution to its catalog of known vulnerabilities being targeted by attackers. As a result, U.S. federal agencies have been directed to apply system patches by June 23, which is next Friday.

Progress, the US company that owns MOVEit software, has urged victims to update their software packages and issued security recommendations to mitigate the risks.

Growing List of Targets

This latest cyber-attack adds to a growing list of targets in a widespread hacking campaign that began two weeks ago and has already impacted major U.S. universities and state governments. The escalating wave of cyberattacks is increasing pressure on federal officials who have pledged to address the rising threat of ransomware attacks that have disrupted schools, hospitals, and local governments across the United States.

Johns Hopkins University and its renowned health system recently disclosed that sensitive personal and financial information, including health billing records, may have been stolen in the hack. Similarly, Georgia’s statewide university system, which includes the University of Georgia and several other state colleges and universities, is currently investigating the scale and severity of the breach.

The hacking group known as CLOP, which operates in the Russian-speaking sphere, claimed responsibility for some of the recent hacks. Their targets have also included employees of the BBC, British Airways, oil giant Shell, state governments in Minnesota and Illinois, the government of Nova Scotia, and others. CLOP hackers claimed to “have information on hundreds of companies.” While these Russian hackers were the first to exploit the vulnerability, experts warn that other groups may now have access to the software code required to carry out similar attacks.

Ransom Deadline

The ransomware group had set a deadline of Wednesday, June 14, for victims to contact them regarding ransom payment, threatening to start publishing data from companies they claim to have hacked. After the deadline passed, they began revealing additional alleged victims of the hack on their dark web extortion site. As of Thursday morning, no U.S. federal agencies were listed on the site. A previous threat from the hackers said on June 21 they would start leaking the stolen data.

This incident highlights the significant impact a single software flaw can have when exploited by skilled cybercriminals. The hackers, a well-known group whose favored malware emerged in 2019, started exploiting a new flaw in the widely used file-transfer software called MOVEit in late May. They appeared to target as many vulnerable organizations as possible, making the attack opportunistic and leaving a wide range of entities at risk of extortion.

Earlier this month on Linkedin, Charles Carmakal, Chief Technology Officer at Mandiant Consulting, a subsidiary of Google that has conducted investigations into the hack, revealed that the CLOP hackers are “overwhelmed” by the staggering number of victims. In contrast to their previous campaigns where they directly contacted victims through email or telephone calls, the hackers are now requesting victims to initiate the threatened ransom negotiations via email. 

Jared Smith, a threat analyst with the cybersecurity firm SecurityScorecard said:

What’s disconcerting about MOVEit is that it’s almost exclusively used by enterprise organizations to share extremely sensitive data with each other.

Alex Heid, chief research officer at Security Scorecard, said this kind of sensitive data “adds more fuel to the fire of the already existing identity theft ecosystem.”