A Russian ransomware group accessed data from federal agencies, including the Department of Energy, in an attack that exploited file transfer software to steal and sell back data from users, US officials said Thursday.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the breach as largely “opportunistic” and not targeting “specific valuable information” nor as damaging as previous cyberattacks against US government agencies.
“While we are deeply concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” Ms. Easterly told reporters on Thursday, referring to the massive breach that compromised several US intelligence agencies in 2020.
The Department of Energy said Thursday that data from two entities within the department had been compromised and it had notified Congress and CISA of the breach.
“DOE has taken immediate steps to prevent further exposure to the vulnerability,” said Chad Smith, the energy department’s deputy press secretary.
State Department and FBI representatives declined to comment on whether their agencies were affected.
According to an assessment by CISA and FBI investigators, Easterly said, the breach was part of a larger ransomware operation carried out by Clop, a Russian ransomware gang that exploited a vulnerability in the software MOVEit and a range of local governments, universities and companies attacked. .
Earlier this month, government officials in Illinois, Nova Scotia and London announced they were among the software users affected by the attack. British Airways and the BBC say they too have been affected by the breach. Johns Hopkins University, the University System of Georgia and European oil and gas giant Shell released similar statements about the attack.
A senior CISA official said only a small number of federal agencies were affected, but declined to identify which ones. But, the official added, initial reports from the private sector suggested at least several hundred companies and organizations had been affected. The official spoke on condition of anonymity to discuss the attack.
According to data collected by the GovSpend company, a number of government agencies have purchased the MOVEit software, including NASA, the Department of Treasury, Health and Human Services, and Defense Department weapons. But it was not clear how many agencies were actively using it.
Clop previously claimed responsibility for the previous spate of breaches on his website.
The group stated that it had “no interest” in exploiting data stolen from government or police stations and had it removed, focusing only on stolen corporate information.
Robert J. Carey, the president of the cybersecurity firm Cloudera Government Solutions, noted that data stolen in ransomware attacks can easily be sold to other illegal actors.
“Anyone using this is probably compromised,” he said, referring to the MOVEit software.
The revelation that federal agencies were also among those affected was previously reported by CNN.
A representative for Progress Software-owned MOVEit said the company was “cooperating with federal law enforcement and other agencies” and would “fight increasingly sophisticated and persistent cybercriminals seeking to maliciously exploit vulnerabilities in widely used software products.” The company originally identified the vulnerability in its software in May, released a patch, and CISA added it to its online catalog of known vulnerabilities on June 2.
Asked about the possibility that Clop was acting in coordination with the Russian government, the CISA official said the agency had no evidence to suggest such coordination.
The MOVEit breach is another example of government agencies falling victim to organized cybercrime by Russian groups, as ransomware campaigns broadly targeting Western targets have repeatedly shut down critical civilian infrastructure, including hospitals, energy systems and city services.
Some attacks in the past seem to be primarily financially motivated, such as when as many as 1,500 companies worldwide were hit by a Russian ransomware attack in 2021.
But in recent months, Russian ransomware groups have also carried out ostensibly political attacks with the tacit approval of the Russian government, targeting countries that have supported Ukraine since last year’s Russian invasion.
Shortly after the invasion, 27 government institutions in Costa Rica experienced ransomware attacks by another Russian group, Conti, forcing the country’s president to declare a national emergency.
Cyber-attacks from Russia were a bone of contention in US-Russia relations even before the war in Ukraine. The issue was at the top of the White House agenda when President Biden met with President Vladimir V. Putin of Russia in 2021.
A ransomware attack on one of the United States’ largest gasoline pipelines by a group believed to be based in Russia forced the pipeline’s operator to pay $5 million to recover the stolen data, just a month before Mr Biden and Mr Putin met. Federal investigators later said they recovered much of the ransom money during a cyber operation.
Also on Thursday, analysts at cybersecurity firm Mandiant identified an attack on Barracuda Networks, an email security provider, which they believe appeared to be part of a Chinese espionage effort. That breach also affected a range of government and private organizations, including the ASEAN foreign ministry and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in his report.