A Russian ransomware group has accessed data from federal agencies, including the Department of Energy, in an attack that exploits file transfer software to steal user data and sell it back, US officials said Thursday.
Cybersecurity and Infrastructure Security Agency Commissioner Jen Easterly said the breach was primarily “opportunistic” and did not focus on “specific high-value information”, but rather against U.S. government agencies. He said it was not as damaging as previous cyberattacks.
Easterly told reporters on Thursday, referring to the massive breach that compromised multiple U.S. intelligence agencies in 2020, saying, “We are very concerned about this campaign, but it’s not like SolarWinds. It’s not a campaign that poses a systemic risk.”
The Department of Energy said Thursday that records from two organizations within the department had been leaked and that it had notified Congress and CISA of the leaks.
“DOE took immediate action to prevent further exposure to the vulnerability,” said Chad Smith, deputy press secretary for the Department of Energy.
State Department and FBI representatives declined to comment on whether their agencies were affected.
According to an assessment by CISA and FBI investigators, Easterly said the breach was carried out by the Russian ransomware group Clop, which exploited a vulnerability in the software MOVEit to attack a series of municipalities, universities and businesses. It said it was part of a larger ransomware operation. .
Earlier this month, officials Illinois, Nova Scotia and London They identified themselves as one of the software users affected by the attack. British Airways And the BBC said it was also affected by the breach. Johns Hopkins University, the University of Georgia System and European oil and gas giant Shell have issued similar statements regarding the attack.
A senior CISA official said only a handful of federal agencies were affected, but did not specify which ones. But the official added that initial reports from the private sector suggested that at least hundreds of businesses and organizations were affected. The official spoke on condition of anonymity about the attack.
According to data collected by GovSpend, many government agencies have purchased MOVEit software, including the arms of NASA, Treasury, Health and Human Services, and Defense. However, it was not clear how many institutions were actively using it.
Klopp had previously claimed responsibility for an early wave of breaches on its website.
The group said it had “no interest” in exploiting data stolen from government and law enforcement agencies, focusing only on stolen business information and deleting the data.
Robert J. Carey, president of cybersecurity firm Cloudera Government Solutions, said data stolen in ransomware attacks could easily be sold to other bad actors.
“Anyone using it can be compromised,” he said of the MOVEit software.
Federal agencies were also found among those affected. CNN reported earlier.
A representative for MOVEit, a company owned by Progress Software, said the company is “collaborating with federal law enforcement and other agencies” and “increasingly sophisticated attempts to maliciously exploit vulnerabilities in widely used software products.” And we will fight relentless cybercrime.” The company originally identified a software vulnerability in May and issued a patch, which CISA added to its security action list. online catalog List of known vulnerabilities as of June 2nd.
Asked about the possibility that Klopp was working in tandem with the Russian government, the CISA official said the agency had no evidence to suggest any such liaison.
The MOVEit breach is another example of how a government agency fell victim to organized cybercrime by a Russian group, with a widely targeted ransomware campaign in the West that caused critical damage to hospitals, energy systems, city services, and more. civil infrastructure has been repeatedly shut down.
Some attacks historically appear to be primarily financially motivated, such as the Russian ransomware attack that hit 1,500 businesses worldwide in 2021.
But in recent months, Russian ransomware groups have also launched ostensible political attacks, with the tacit approval of the Russian government, targeting countries that have supported Ukraine since Russia’s invasion last year.
Shortly after the invasion, Costa Rica’s 27 government agencies were hit with ransomware attacks by another Russian group, Conti, forcing the country’s president to declare a national emergency.
Russia-originated cyberattacks were already a point of contention in U.S.-Russia relations even before the war in Ukraine. The issue was at the top of the White House agenda when President Biden met with Russian President Vladimir V. Putin in 2021.
Just a month before Biden and Putin met, a ransomware attack on America’s largest gasoline pipeline by a group believed to be in Russia sent the pipeline operator $500 million to recover stolen data. forced to pay dollars. Federal investigators later announced that they had recovered most of the ransom money in a cyber operation.
Also on Thursday, analysts at cybersecurity firm Mandiant said they had identified an attack against email security provider Barracuda Networks that appeared to be part of a Chinese espionage campaign. The breach also affected a wide range of government and private organizations, including the ASEAN Ministry of Foreign Affairs and the Foreign Trade Offices of Hong Kong and Taiwan, Mandiant wrote. report.
