A Russian hacker group exploited a MOVEit file transfer service flaw to comprise several federal agencies’ data. According to TechCrunch, the ransomware gang known as “CL0P” accessed the data of corporations, governments, and other institutions worldwide. The total number affected by Cl0p’s attacks is still unknown. However, new victims have come forward since the initial reveal of the exploit. Reuters reports that the attack affects The US energy department, Johns Hopkins University, the British energy corporation Shell and others.
Russian hackers illegally accessed data from institutions and companies worldwide.
The hackers abused a vulnerability in MOVEit, a large-scale digital file transfer service. According to SC Magazine, the company has contracts with corporations, agencies, and institutions worldwide. For example, the Department of Homeland Security, Chase Bank, Disney, JetBlue, GEICO, and Major League Baseball use MOVEit.
The sheer number of conglomerates who relied on MOVEit’s services allowed CL0P to cast a wide net. In early June 2023, victims of CL0P’s attacks started coming forward. One of the first companies to disclose their attack was British Airways, which had its payroll data stolen.
British Airways used Zellis, a human resources and payroll software provider, who used MOVEit to transfer data. The BBC, the United Kingdom’s public broadcaster, also confirmed it had data stolen in the Zellis breach. Additionally, the government of Novia Scotia, Canada, which used MOVEit to share files between departments, came forward as a victim.
And according to CNN, millions of Americans living in Louisiana and Oregon had their Department of Motor Vehicles information stolen. They say the data breach affected 3.5 million Oregonians. And officials from the Louisiana governor’s office said that the hack compromised the data of more than six million Louisianians.
Additionally, CL0P stole data from the Office of Personnel Management (OPM), an independent human resources agency for civilian federal employees. However, the scope of the breach is still unknown.
CL0P might not be the only bad actor in this situation.
BBC reports CL0P claims they don’t have data from British Airways or several other British companies, including BBC. According to cybersecurity expert Amir Hadžipasić, CL0P has no reason to lie about the data they’ve stolen. He said if the hacker group is telling the truth, the situation is potentially worse than previously thought. “If CL0P [doesn’t] have the data, then this situation is less predictable,” Hadžipasić said. “The files are going to end up somewhere on the dark web via another hacking group.”
Despite CL0P denying they stole data from certain companies in the UK, they’re taking full advantage of the stolen data. CNN reports the hacker group asked for a $100 million ransom from at least one of its corporate victims. A source who remained anonymous because they weren’t authorized to speak to the press said CL0P is “extremely aggressive.”
The US has beefed up cybersecurity since 2021.
Unfortunately, the nature of information technology means hacks and bad actors are almost inevitable. However, after several ransomware attacks, an executive order from 2021 pushed federal agencies to better prepare for cyber attacks. Jeff Greene, senior director of the Aspen Institute’s cybersecurity program, said agencies are better prepared to handle the situation. He said federal agencies such as the FBI and CISA “are in a pretty good place to […] provide assistance.”
However, the damage of CL0P’s and potentially other hacker group’s exploits remains unknown. It could be several months before we understand the total scope of the MOVEit breach.
