The U.S. government has confirmed that multiple federal agencies have fallen victim to cyberattacks exploiting a security vulnerability in a popular file transfer tool.
In a statement shared with TechCrunch, CISA confirmed that “several” U.S. government agencies have experienced intrusions related to the exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The agency also attributed the attacks to the Russia-linked Clop ransomware gang, which this week started posting the names of organizations it claims to have hacked by exploiting the MOVEit flaw.
CISA did not say how many agencies were impacted by the attacks, which CNN first reported, and didn’t name the agencies affected. However, the Department of Energy confirmed to TechCrunch that two of its entities were among those breached.
“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA),” a DoE spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”
According to the Federal News Network, Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located in New Mexico were the two DOE entities impacted by the vulnerability, exposing “the personally identifiable information of potentially tens of thousands of individuals, including Energy employees and contractors.”
Around a dozen other U.S. agencies have active MOVEit contracts, according to the Federal Data Procurement System. This includes the Department of the Army, the Department of the Air Force and the Food and Drug Administration.
In a press conference on Thursday addressing the MOVEit vulnerability, CISA director Jen Easterly said the cybersecurity agency is working with impacted agencies “urgently to understand impacts and ensure timely remediation.” While it’s not yet known whether data has been stolen, Easterly added that the intrusions are not being leveraged to “steal specific high value information” or to gain persistence into targeted systems.
“In sum, as we understand it, this attack is largely an opportunistic one,” Easterly said. “In addition, we are not aware of Clop actors threatening to extort or release any data stolen from U.S. government agencies.”
In a new update posted to its dark web leak site, Clop claimed that government data had been erased and no government agencies have yet been listed as victims.
However, Clop has added another batch of victims that it claims to have compromised via the MOVEit vulnerability, including the Boston Globe, California-based East Western Bank, New York-based biotechnology company Enzo Biochem and Microsoft-owned AI firm Nuance.
Lynn Granito, an agency spokesperson representing Enzo, told TechCrunch the company would not be commenting. None of the other newly listed companies have responded to TechCrunch’s questions.
The Russia-linked ransomware group posted the first batch of impacted organizations – a list that includes U.S.-based financial services organizations 1st Source and First National Bankers Bank and U.K. energy giant Shell – just one day earlier.
As new victims continue to come to light, Progress Software has rushed to patch a new vulnerability impacting MOVEit Transfer. This vulnerability, tracked as CVE-2023-35708, could lead to unauthorized access to customer environments, Progress warned in its advisory.