Multiple businesses and governments have been impacted by a cyber attack on MOVEit, a widely-used software, according to media reports.
On Thursday, several US federal government agencies fell victim to a major global cyberattack that exploited a vulnerability in the MOVEit software. The US Cybersecurity and Infrastructure Security Agency (CISA) is providing assistance to the affected federal agencies, as stated by Eric Goldstein, the agency’s Executive Assistant Director for Cybersecurity, in an interview with CNN. The identity of the hackers and the number of affected agencies remain undisclosed.
Over the past two weeks, a coordinated large-scale hacking campaign has targeted prominent universities, state and local governments in the United States. CLOP, a Russian-speaking hacking group, has claimed responsibility for some of the attacks in this campaign. The victims include BBC employees, British Airways, Shell, and state governments in Minnesota and Illinois, among others.
In a global hacking campaign, the US Department of Energy and several other federal agencies have been compromised due to a vulnerability in MOVEit Transfer, a widely-used file-transfer software. Two entities within the Department of Energy, namely Oak Ridge Associated Universities (a DOE contractor) and the Waste Isolation Pilot Plant (a facility in New Mexico for the disposal of defense-related nuclear waste), had their data compromised.
Additional victims of the MOVEit Transfer-related breach include Shell (a British energy giant), the University System of Georgia, Johns Hopkins University, and the Johns Hopkins Health System. These incidents add to a growing list of entities worldwide whose systems were infiltrated through the MOVEit Transfer software.
The hacking group Cl0p, believed to be linked to Russia, has claimed responsibility for the MOVEit hack but assured that it would not misuse any data obtained from government agencies. It has also stated that all such data has been erased.
CISA is actively assisting the breached federal agencies, although their names have not been disclosed. The agency stated that there have been no significant impacts on the federal civilian executive branch enterprise, but they continue to collaborate with their partners on addressing the issue.
The Department of Energy has informed Congress about the breach and is cooperating with law enforcement and CISA in the ongoing investigations. Shell has found no evidence of the breach affecting its core IT systems, but investigations are underway to determine the potential impact on user data. Johns Hopkins University and the University System of Georgia are also conducting investigations to assess the extent of the data exposure resulting from the MOVEit hack.
Last week, several large organizations, including the UK’s telecom regulator, British Airways, the BBC, and Boots (a drugstore chain), were also identified as victims of the hacking campaign.
CISA, the FBI, and the National Security Agency have not provided detailed comments or information regarding the breaches. MOVEit has engaged with federal law enforcement and is working closely with its customers to address the issue by implementing necessary fixes.
On Thursday, Progress Software, the maker of MOVEit Transfer, disclosed another critical vulnerability, although it is unclear whether hackers have exploited it. MOVEit Transfer is commonly used by organizations to securely share sensitive information with partners or customers, such as financial data for loan applications.