Russia-affiliated racketeering gang Cl0p demanded ransoms for two entities of the energy department, including a facility for the disposal of defense-related radioactive nuclear waste.
The US Department of Energy has received ransom demands from the Russian-affiliated extortion group Cl0p at both its nuclear waste facility and science education facilities recently hit in a global hacking campaign, a spokesman said.
Energy Department contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, the New Mexico-based facility for the disposal of defense-related radioactive nuclear waste, were hit by the attack, first reported Thursday, which used of a vulnerability in a commonly used software. Data was “compromised” at two entities within the energy department when hackers gained access through a vulnerability in the MOVEit file transfer software.
The requests came in emails to each facility, the spokesperson said Friday, but declined to say how much money was involved.
“They came in individually, not as a kind of blind carbon copy,” said the spokesperson. “The two entities that received them did not go in” with Cl0p and there was no indication that the ransom requests were withdrawn, the spokesperson said.
The Department of Energy, which manages U.S. military-related nuclear weapons and nuclear waste sites, has notified Congress of the breach and is participating in investigations with law enforcement and the U.S. Cybersecurity and Infrastructure Security Agency. The agency has said it has not seen significant impacts on the federal civilian executive, but was working with partners on the matter.
Cl0p has said it would not use government agency data and that it had cleared all such data.
Cl0p did not respond to requests for comment, but in an all-caps post on their website on Friday, the group said “WE HAVE NO GOVERNMENT DATA” and suggested that if the hackers accidentally used such data in their mass theft, “WE STILL DO IT LIKE IT” THING AND DELETE EVERYTHING.”
Allan Liska, an analyst at the cybersecurity firm Recorded Future, said Cl0p likely made a big deal out of how they allegedly deleted government data in an effort to protect themselves from retaliation from Washington and other governments.
“They think, ‘If we post this, the government won’t come after us.’ I think the thinking is, “As long as we don’t keep records from hospitals and government agencies, we can operate under the radar.”
No one in the security community took the group’s claim of data destruction seriously, Liska said. “Everyone in the security community was like, ‘Yeah, good. You probably gave it to your Russian escorts.’”
Earlier this month, US and UK cybersecurity officials warned that a Russian cyber-extortion gang had hacked MOVEit and that it would have a global impact as the file transfer program was popular with businesses. Zellis, a leading provider of payroll services in the UK serving British Airways, the BBC and hundreds of others, was one of the affected users. The British drugstore chain Boots was also hit.
Last month, Microsoft accused Chinese state-sponsored hackers of launching attacks against critical infrastructure in the US.