>
‘Several’ US government agencies hit by cyberattack exploiting software vulnerabilities – but full scope remains unclear
Several US government agencies have been hit by a global hacking campaign that exploited a vulnerability in widely used software.
“We are working urgently to understand the implications,” said Eric Goldstein, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) executive assistant director for cybersecurity.
The agency did not clarify whether the hackers responsible for the breaches were the same Russian-language ransomware collective that took credit for previous victims in the hack campaign.
While CISA did not specify how many federal agencies were affected, Goldstein said his agency “provides support to several federal agencies that have been impacted by break-ins.”
In addition to federal agencies, the cyberattack also targeted state governments in Minnesota and Illinois, and the entire Georgia state university system, as well as British broadcaster BBC and Zellis, a payroll provider used by hundreds of businesses in Britain.
In late May, the Russian-speaking gang of hackers known as CLOP began exploiting a new flaw or exploit discovered in a widely used file transfer software known as MOVEit. The hackers seemed to penetrate as many vulnerable organizations as they could identify.
Progress Software, which owns MOVEit and distributes it as “securely managed file transfer software,” urged its customers to install updates to fix the flaw, among other security advice.
Johns Hopkins University released a statement this week warning patients, students and the public that “sensitive personal and financial information,” including health billing data from the university’s renowned healthcare system, may have been compromised in the attack.
CLOP claimed credit for similar attacks against state government systems in both Minnesota and Illinois, as well as major international corporations, including British Airways and Shell.
The entire university system in the state of Georgia also reported that dozens of state colleges and schools, including the 40,000-student University of Georgia, were entered in the attack. University officials said they were still investigating the “scale and severity” of the attack.
CLOP’s telltale ransomware packages first appeared in February 2019, according to the Health Sector Cybersecurity Coordination Center of the US Department of Health and Human Services.
The hacker group’s extortion attempts have been staggeringly lucrative at times, with payouts of up to $500 million.
Cyber security experts told CNN that while CLOP was the first hacker group to use the MOVEit exploit, others may now have acquired the capabilities to launch copycat attacks, such as the one that hit US federal government agencies this week.
The ransomware group set a deadline last Wednesday and told victims to start paying or risk the public release of their stolen data.
The group also said it would begin dropping names of their other alleged victims, but as of Thursday morning no U.S. federal agencies had been listed.