CISA Reveals Multiple Federal Agencies Targeted in Global Cyberattack

Global cyberattacks have affected “several agencies” in the U.S. government by exploiting software vulnerabilities. U.S. Cybersecurity and Infrastructure Security Agency made a Thursday statement indicating that they are helping agencies affected by hacking activities.

CISA’s Response

CISA Assistant Executive Director for Cybersecurity Eric Goldstein:

(CISA), provides support to several federal departments that have been affected by intrusions into their MOVEit applications.

He added:

We are working to quickly understand the impacts and implement remediation.

Uncertainty remains as to whether the hackers who hacked the federal agencies were the same Russian-speaking group of ransomware that claimed responsibility for other victims during the ongoing hacking campaigns. CISA’s spokesperson refused to comment when asked about the hackers and the number of agencies affected.

CISA added a security flaw recently exploited in the Progress MOVEit Transfer (MFT), managed file transfer solution, to its list of known vulnerabilities that are targeted by attackers earlier this month. The U.S. Federal agencies were instructed to apply system updates by Friday, June 23.

Progress, the US-based company that owns MOVEit, has issued security recommendations and urged its victims to update the software.

The Growing List of Targets

This latest cyber-attack adds to the growing list of targets for a hacking campaign that began two weeks back and has already affected major U.S. Universities and state governments. Cyberattacks are increasing the pressure on officials at the federal level who have promised to combat the threat of ransomware that has disrupted schools and hospitals in the United States.

Johns Hopkins University, and its renowned healthcare system, recently revealed that personal and financial data, including health billing records and sensitive information, could have been stolen. Georgia’s state-wide university system, including the University of Georgia, and other state colleges, are investigating the extent and severity of this breach.

Clops, a hacking group that operates in Russian-speaking countries, has claimed responsibility for a number of recent hacks. They have also targeted employees at the BBC, British Airways, and Shell. Also, they have targeted the state governments of Minnesota and Illinois and the government of Nova Scotia. CLOP hackers said they “had information on hundreds” of companies.

Ransom Deadline

The ransomware group set a Wednesday, June 14 deadline for victims to contact it regarding ransom payments, and threatened to publish data from companies that they claimed to have hacked. They began to reveal additional alleged victims on their dark-web extortion website after the deadline had passed. On Thursday morning, the site did not list any U.S. federal government agencies. The hackers had previously threatened that on June 21, they would begin leaking stolen data.

This incident shows the impact that a single software bug can have on a cybercriminal’s ability to exploit it. Hackers, a group well-known for its malware that emerged in 2019, began exploiting a flaw in a widely-used file-transfer program called MOVEit late in May. The hackers appeared to have targeted as many organizations as possible. This made the attack opportunistic and left a variety of entities vulnerable to extortion.

Charles Carmakal revealed on Linkedin earlier this month that the CLOP hackers are “overwhelmed by the staggering amount of victims”. The hackers have changed their tactics from the previous campaigns, where they directly contacted the victims via telephone or email. They now ask the victims to initiate any threatened ransom negotiations by email.

Jared Smith is a threat analyst at the cybersecurity firm SecurityScorecard.

MOVEit’s most disconcerting feature is that it is almost exclusively used to exchange highly sensitive data between enterprise organizations.

Alex Heid is the chief research officer of Security Scorecard. He said that this type of sensitive information “adds fuel to the already existing ecosystem of identity theft.”