Cybersecurity in the United States Officials said yesterday that a “small number” of government agencies have suffered data breaches as part of a massive hacking campaign that is likely being carried out by the Russia-based Clop ransomware gang. The cybercriminal group was quick to exploit a vulnerability in the MOVEit file transfer service to recover valuable data on victims such as Shell, British Airways and the BBC. But hitting US government targets will only increase the scrutiny of cybercriminals by global law enforcement in the already high-profile hacking spree.
Progress Software, owner of MOVEit, patched the vulnerability at the end of May, and the US Cybersecurity and Infrastructure Security Agency posted a review with the Federal Bureau of Investigation on June 7 warning against the exploitation of Clop and the urgent need for all organizations, public and private, to fix the flaw. A senior CISA official told reporters yesterday that all US government MOVEit instances have now been updated.
CISA officials declined to say which US agencies are victims of the frenzy, but they did confirm that the Department of Energy informed CISA that it was among them. CNN, who reported for the first time attacks on US government agencies, reported further today that the hacking spree has impacted driver’s licenses and state IDs in Louisiana and Oregon for millions of residents. Clop also claimed credit for attacks on the state governments of Minnesota and Illinois.
“We are currently providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA Director Jen Easterly told reporters Thursday. “Based on discussions we have had with industry partners as part of the Joint Cyber Defense Collaborative, these intrusions are not leveraged to gain broader access, to gain persistence in targeted systems or to steal specific high-value information – in sum, as we understand this, this attack is largely opportunistic.
Easterly added that CISA did not see Clop threatening to release stolen data to the US government. And the senior CISA official, who spoke to reporters on the condition that they not be named, said CISA and its partners currently see no evidence that Clop is coordinating with the Russian government. For his part, Clop maintained that he was focused on targeting businesses and would remove any government or law enforcement data.
Clop emerged in 2018 as a standard ransomware actor that would encrypt a victim’s systems and then demand payment to provide the decryption key. The ransomware gang is also known to find and exploit vulnerabilities in widely used software and equipment to steal information from various companies and institutions and then launch data extortion campaigns against them.
Allan Liska, an analyst for ransomware security firm Recorded Future, said Clop had been “moderately successful” with the ransomware approach. However, it ultimately differentiated itself by moving away from crypto-based ransomware and towards its current model of developing exploits for enterprise software vulnerabilities and then using them to carry out mass thefts. of data.
And while there may not be direct coordination between the Kremlin and Clop, research has repeatedly shown links between the Russian government and ransomware groups. Under this arrangement, these unions can operate from Russia with impunity as long as they do not target victims inside the country and rely on the influence of the Kremlin. So, does Clop really delete the data it collects, even accidentally, from government victims?
“We do not believe that US government agencies were specifically targeted. Clop just hit any vulnerable server running the software,” Liska says of the MOVEit campaign. “But it’s highly likely that any information Clop gathered from the US government or other interesting targets was shared with the Kremlin.”