US Cybersecurity Officials said yesterday that a “small number” of government agencies suffered a data breach as part of an extensive hacking campaign likely carried out by the Russia-based Clop ransomware gang . The cybercriminal group worked hard to exploit the vulnerability in the file transfer service MOVEit to obtain valuable data from victims including Shell, British Airways and the BBC. But attacking US government targets will only increase global law enforcement’s scrutiny of cybercriminals in the already well-known cyberattack.
Progress Software, the company that owns MOVEit, patch vulnerability at the end of May and the US Cybersecurity and Infrastructure Security Agency release a tip with the Federal Bureau of Investigation on June 7 warned of Clop exploits and urgently required all organizations, both public and private, to patch the vulnerability. A senior CISA official told reporters yesterday that all US government versions of MOVEit are now up to date.
CISA officials declined to say which US agencies were victims of the scam, but they confirmed that the Department of Energy had informed CISA that they were among them. CNN first report attacks on US government agencies, more report today that the cyberattack affected Louisiana and Oregon driver’s licenses and identity data for millions of residents. Clop has also previously claimed responsibility for attacks on the Minnesota and Illinois state governments.
“We are currently providing support to a number of federal agencies that have been compromised affecting their MOVEit applications,” CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Cooperation Organization, these intrusions are not being leveraged to gain broader access, to gain persistence in targeted systems or to steal specific high-value information—in short, as we understand it, this attack is largely an opportunistic attack.
Easterly added that CISA has not seen Clop threaten to disclose any data stolen from the US government. And the senior CISA official, who spoke to reporters on condition of anonymity, said that CISA and its partners do not currently see evidence that Clop is coordinating with the Russian government. For its part, Clop insists that it is focused on targeting businesses and will remove any data from government or law enforcement.
Clop emerged in 2018 as a standard ransomware that would encrypt a victim’s system and then demand payment to provide the decryption key. The ransomware group is also known for finding and exploiting vulnerabilities in Widely used software and equipment to steal information from multiple businesses and organizations, then launch data extortion campaigns against them.
Allan Liska, an analyst with security firm Recorded Future that specializes in ransomware, said that Clop has had “moderate success” with its ransomware approach. However, it ultimately made a difference by moving away from encryption-based ransomware and moving towards a development model that exploits vulnerabilities in existing enterprise software and then uses them to perform mass data theft.
And while there may not be direct coordination between the Kremlin and Clop, research has repeatedly shown relationship between the Russian government and ransomware groups. Under the agreement, these corporations can operate from Russia with impunity as long as they don’t target domestic victims and obey the Kremlin’s influence. So does Clop really delete the data it collects, even by accident, from government victims?
“We don’t think US government agencies are a specific target. Liska talks about the MOVEit campaign. “But it’s very likely that any information Clop gathered from the US government or other interesting targets was shared with the Kremlin.”
