In the latest cyber incident affecting the US federal government, multiple agencies including the US Department of Energy (DOE), the US Department of Agriculture, and the Office of Personnel Management, have fallen victim to a series of attacks by the Russian-based Clop ransomware gang. This cybercriminal group is taking advantage of vulnerabilities in Progress Software’s MOVEit Transfer security file transfer platform to target public and private sector organizations worldwide.
The first flaw in MOVEit Transfer, a SQL injection vulnerability, was disclosed by Progress Software on May 31. This was followed by the discovery of another SQL injection vulnerability on June 9, which could potentially lead to unauthorized access to the system. Progress Software has released patches for both flaws.
The Clop gang, which is believed to be a non-state actor, operates with impunity within Russia. However, their status as a non-state actor may be challenged as the US State Department’s Rewards for Justice program has offered a $10-million bounty for information linking the Clop ransomware attacks to a foreign government.
Demetrice Rogers, a cybersecurity specialist and adjunct professor at Tulane University, believes that this attack could be one of the largest cyberattacks in recent history. The MOVEit file transfer software is widely used by government organizations, private organizations, and state governments, making it difficult to determine the full extent of the attack. Progress Software estimates that thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.
While the Cybersecurity and Infrastructure Security Agency (CISA) has stated that these attacks have not had significant impacts on government enterprise, recent reports suggest that ransom demands have been made to DOE facilities. Clop’s claim that they delete any stolen data from government agencies is contradicted by these ransom demands. The US government has been taking steps to mitigate the vulnerabilities in MOVEit and is working with the broader technology community to enhance security controls in file-sharing applications.
CISA has not disclosed the identity of other impacted agencies or victims at this time. However, they have stated that there is no evidence of impact on military branches or intelligence services. It is crucial for organizations running MOVEit to implement the necessary patches to mitigate the risk. The government of Canada’s Nova Scotia, the State of Oregon, the State of Louisiana, and the Minnesota Department of Education have also been targeted by Clop attacks.
Adam Meyers, senior vice president of intelligence at CrowdStrike, suggests that this spree of attacks by Clop is part of a broader trend of data weaponization. Ransomware attackers are increasingly resorting to data extortion rather than demanding ransoms. File transfer utilities like MOVEit provide an opportunity for threat actors to steal sensitive information and extort victims.
The federal government has not released a list of agencies affected by the Clop gang’s attacks. This may be due to the visibility challenges faced by the government, as different agencies may have their own infrastructures and setups for file transfer. It is possible that the Clop gang will disclose more organizations on their dark web leak site if the government does not provide more information.
The attacks by the Clop gang may continue as new vulnerabilities in MOVEit Transfer have been discovered. Progress Software has identified a third vulnerability that could lead to escalated privileges and unauthorized access. MOVEit customers are strongly urged to address this issue promptly.
Overall, the cyber incident involving the Clop ransomware gang has highlighted the need for enhanced cybersecurity measures and prompt action to mitigate vulnerabilities. Governments and organizations must remain vigilant and take steps to protect their systems and sensitive data from such attacks.