A Russian ransomware group has gained access to data at federal agencies, including the Energy Department, in an attack that used file-transfer software to steal and sell user data, U.S. officials said Thursday.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the breach as primarily “opportunistic” and neither focused on “specific high-value information” nor did it target U.S. government agencies as previously as destructive as cyber attacks.
“While we are very concerned about this activity, it is not one that poses systemic risk like SolarWinds,” Ms Easterly told reporters on Thursday, referring to the massive breach in 2020 that compromised multiple US intelligence agencies .
The Energy Department said Thursday that the records of two entities within the department had been compromised and that Congress and CISA had been notified of the breach.
“The Department of Energy took immediate steps to prevent further exposure of this vulnerability,” said Chad Smith, DOE’s deputy press secretary.
Representatives for the State Department and the FBI declined to comment on whether their agencies were affected.
Based on assessments by CISA and FBI investigators, Easterly said the intrusion was part of a larger ransomware operation by Clop, a Russian ransomware ring that exploited a vulnerability in software MOVEit to target a range of local governments , universities and companies.
Earlier this month, public officials Illinois, Nova Scotia and London revealed that they were among the users of the software affected by the attack. british airways The BBC said they were also affected by the breach. Johns Hopkins University, the University System of Georgia and European oil and gas major Shell issued similar statements about the attack.
A senior CISA official said only a handful of federal agencies were affected, but declined to say which ones. However, initial reports from the private sector indicated that at least hundreds of companies and organizations were affected, the official added. The official, speaking on condition of anonymity, discussed the attack.
According to data collected by GovSpend, a number of government agencies have purchased MOVEit software, including NASA, the Treasury Departments, the Departments of Health and Human Services and the Department of Defense for Arms. But it’s unclear how many institutions are actively using it.
Clop previously claimed responsibility for an early wave of breaches on its site.
The group said it had “no interest” in exploiting any data stolen from government or police offices and deleting it, focusing only on stolen business information.
Robert J. Carey, president of cybersecurity firm Cloudera Government Solutions, noted that data stolen in ransomware attacks can easily be sold to other illicit actors.
“Anyone using it could be compromised,” he said, referring to the MOVEit software.
The revelation that federal agencies are among those affected is CNN reported earlier.
A representative for Progress Software’s MOVEit said the company had “engaged with federal law enforcement and other agencies” and would “combat an increasingly sophisticated and persistent class of cybercriminals intent on maliciously exploiting widely used Vulnerabilities in its software products.” The company initially discovered the vulnerability in its software in May, released a patch, and CISA added it to its online catalog Known vulnerabilities as of June 2.
Asked about the possibility of Klopp coordinating operations with the Russian government, CISA officials said the agency had no evidence of such coordination.
The MOVEit breach is another example of government agencies falling victim to organized cybercrime by Russian groups, as widespread ransomware campaigns against Western targets have repeatedly shut down critical civilian infrastructure, including hospitals, energy systems and city services.
Historically, some attacks appear to be primarily financially motivated, such as the 2021 Russian ransomware attack on as many as 1,500 businesses worldwide.
But in recent months, Russian ransomware groups have also carried out ostensibly political attacks with the tacit approval of the Russian government, targeting the country that has supported Ukraine since Russia’s invasion last year.
Shortly after the intrusion, 27 government agencies in Costa Rica were attacked with ransomware from another Russian group, Conti, forcing the country’s president to declare a national emergency.
Cyber attacks originating in Russia had already been a point of contention in U.S.-Russian relations before the Ukraine war. The issue is at the top of the White House’s agenda when President Biden meets with Russian President Vladimir V. Putin in 2021.
A group believed to be based in Russia launched a ransomware attack on one of the largest gasoline pipelines in the United States, forcing the pipeline’s operator to pay $5 million to restore its stolen data, just a month before Mr Biden and Mr Putin met . Federal investigators later said they recovered most of the ransom money in a cyber operation.
Also on Thursday, analysts at cybersecurity firm Mandiant uncovered an attack on email security provider Barracuda Networks that they said appeared to be part of a Chinese espionage operation. The breach also affected a range of government and private organisations, including ASEAN’s foreign ministries and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in its report. Report.