US authorities said Thursday that a Russian ransomware group gained access to data from federal agencies including the Department of Energy by exploiting file transfer software to steal and sell back users’ data.
Jane Easterly, director of the Cyber Security and Infrastructure Security Agency, described the breach as largely “opportunistic” and focused neither on “specific high-value information” nor on US government agencies as in previous cyberattacks. Harmful in
“While we are very concerned about this campaign, it is not a campaign like SolarWinds that poses a systemic risk,” Ms Easterly told reporters on Thursday. large scale infringement Which compromised several US intelligence agencies in 2020.
The Department of Energy said Thursday that records from two entities within the department had been compromised and that it had notified Congress and CISA about the breach.
“DOE took immediate steps to prevent further exposure to the vulnerability,” said Chad Smith, deputy press secretary for the Department of Energy.
Representatives for the State Department and the FBI declined to comment on whether their agencies had been affected.
According to an assessment by CISA and FBI investigators, Easterly said, the breach was part of a larger ransomware operation carried out by Klopp, a Russian ransomware gang that exploited a vulnerability in the software MOVEit and targeted an array of local governments, universities and corporations. attacked. ,
Earlier this month, public officials in Illinois, Nova Scotia And London revealed that they were among the software users affected by the attack. British Airways And the BBC said they were also affected by the breach. Johns Hopkins University, the University System of Georgia, and European oil and gas giant Shell have issued similar statements on the attack.
A senior CISA official said only a handful of federal agencies were affected, but declined to identify which ones. But, the official said, initial reports from the private sector suggested that at least several hundred companies and organizations had been affected. The official discussed the attack on condition of anonymity.
Several government agencies have purchased MOVEit software, according to data collected by the company GovSpend, including NASA, the Treasury Department, Health and Human Services and the Department of Defense’s arms. But it was not clear how many agencies were actively using it.
Klopp had previously claimed responsibility for an earlier wave of breaches on his website.
The group said it had “no interest” in exploiting any data stolen from government or police offices and was only focusing on the stolen business information it had removed.
Robert J. Carey, president of cybersecurity firm Cloudera Government Solutions, said data stolen in ransomware attacks can easily be sold to other illegal actors.
“Whoever is using it could be compromised,” he said, referring to the Moovit software.
The revelation that federal agencies were among those affected First reported by CNN,
A representative for MOVEit, which is owned by Progress Software, said the company had “engaged with federal law enforcement and other agencies” and “intended to exploit vulnerabilities in widely used software products”. to combat increasingly sophisticated and persistent cybercriminals.” The company originally identified the vulnerability in its software in May, issued a patch, and CISA added it to its online catalog of known vulnerabilities on June 2.
Asked about the possibility that Klopp was acting in coordination with the Russian government, the CISA official said the agency had no evidence to suggest such coordination.
The MOVEit breach is another example of government agencies falling victim to organized cybercrime by Russian groups, as Ransomware campaigns largely target Western targets There have been repeated shutdowns of critical civic infrastructure, including hospitals, energy systems and city services.
Some attacks have historically appeared to be primarily economically motivated, such as when many as many as 1,500 businesses worldwide In 2021 the Russians were hit by a ransomware attack.
But in recent months, Russian ransomware groups have also engaged in apparently political attacks with tacit approval by the Russian government, homing in on countries that support Ukraine since Russia’s invasion last year.
Immediately after the invasion, 27 government institutions in Costa Rica Ransomware attacks suffered by another Russian group, Conti, forcing the country’s president to declare a national state of emergency.
Cyber attacks in Russia have been a point of contention in US-Russia relations since before the war in Ukraine. was the issue Top of the White House agenda When President Biden met Russian President Vladimir V. Putin in 2021.
A Ransomware attack on one of the largest gasoline pipelines in the United States A group believed to have coerced the operator of the pipeline in Russia pay $5 million to recover its stolen data just a month before Mr. Biden and Mr. Putin met. Federal investigators later said they recovered a significant amount of ransom in cyber operation
Also on Thursday, analysts at cybersecurity firm Mandiant identified an attack against Barracuda Networks, an email security provider, that they said appears to be part of a Chinese espionage effort. That breach also affected both government and private organizations, including the ASEAN foreign ministry and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in his letter. reports,