‘Several’ US government agencies hit  with cyberattack that exploited vulnerabilities in software

Several US government agencies have been hit in a global hacking campaign that exploited a vulnerability in widely used software.

‘We are working urgently to understand impacts,’ said Eric Goldstein, the executive assistant director for cybersecurity of the US Cybersecurity and Infrastructure Security Agency (CISA).

The agency did not clarify if the hackers responsible for the breaches were the same Russian-speaking ransomware collective that claimed credit for past victims in the hacking campaign.

While CISA did not specify how many federal agencies have been hit, Goldstein said that his agency ‘is providing support to several federal agencies that have experienced intrusions.’ 

In late May, the Russian-speaking gang of hackers known as CLOP began leveraging a new flaw, or exploit, discovered in a widely used file-transfer software known as MOVEit. The hackers seemed to penetrate as many vulnerable organizations as they could identify.

Progress Software, which owns MOVEit and distributes it as a ‘secure managed file transfer software,’ urged its customers to install updates to correct the flaw, alongside other security advice. 

Johns Hopkins University released a statement this week alerting patients, students and the public that ‘sensitive personal and financial information,’ including health billing records from the university’s well-regarded healthcare system may have been compromised in the attack.

CLOP claimed credit for similar assaults on state government systems in both Minnesota and Illinois, as well as on major international firms including British Airways and Shell.

The entire university system across the state of Georgia also reported that its dozens of state colleges and schools, including the 40,000-student University of Georgia, had been penetrated in the attack. University officials said they were still investigating the ‘scope and severity’ of the attack.

CLOP’s tell-tale ransomware packages first emerged in February of 2019, according to the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center.

The hacker group’s extortion attempts have occasionally been staggeringly lucrative, including payouts as high as $500 million.

Cybersecurity experts told CNN that, while CLOP was the first hacker group to make use of the MOVEit exploit, others may now have obtained the capabilities to launch copycat attacks, like those that hit US federal government agencies this week. 

The ransomware group set a deadline of this past Wednesday, telling its victims to begin paying up or risk the public release of their stolen data. 

The group also said that it would begin dropping names of their other alleged victims, but as of Thursday morning, no US federal agencies were listed.