A Russia-Based Hacking Rampage Hits US Agencies and Exposes Millions

United States cybersecurity officials said yesterday that a “small number” of government agencies have suffered data breaches as part of a broad hacking campaign that is likely being carried out by the Russia-based ransomware gang Clop. The cybercriminal group has been on a tear in exploiting a vulnerability in the file transfer service MOVEit to grab valuable data from victims including Shell, British Airways, and the BBC. But hitting US government targets will only increase global law enforcement’s scrutiny of the cybercriminals in the already high-profile hacking spree.

Progress Software, which owns MOVEit, patched the vulnerability at the end of May, and the US Cybersecurity and Infrastructure Security Agency released an advisory with the Federal Bureau of Investigation on June 7 warning about Clop’s exploitation and the urgent need for all organizations, both public and private, to patch the flaw. A senior CISA official told reporters yesterday that all US government MOVEit instances have now been updated. 

CISA officials declined to say which US agencies are victims of the spree, but they confirmed that the Department of Energy notified CISA that it is among them. CNN, which first reported the attacks on US government agencies, further reported today that the hacking spree impacted Louisiana and Oregon state driver’s license and identification data for millions of residents. Clop has previously also claimed credit for attacks on the state governments of Minnesota and Illinois.

“We are currently providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information—in sum, as we understand it, this attack is largely an opportunistic one.”

Easterly added that CISA has not seen Clop threaten to release any data stolen from the US government. And the senior CISA official, who spoke to reporters on the condition that they not be named, said that CISA and its partners do not currently see evidence that Clop is coordinating with the Russian government. For its part, Clop has maintained that it is focused on targeting businesses and will delete any data from governments or law enforcement.

Clop emerged in 2018 as a standard ransomware actor that would encrypt a victim’s systems and then demand payment to provide the decryption key. The ransomware gang is also known for finding and exploiting vulnerabilities in widely used software and equipment to steal information from a variety of businesses and institutions and then launch data extortion campaigns against them. 

Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware, says that Clop was “moderately successful” with the ransomware approach. It eventually differentiated itself, though, by moving away from encryption-based ransomware and toward its current model of developing exploits for vulnerabilities in enterprise software and then using them to carry out mass data theft.

And while there may not be direct coordination between the Kremlin and Clop, research has repeatedly shown ties between the Russian government and ransomware groups. Under the arrangement, these syndicates can operate from Russia with impunity so long as they don’t target victims within the country and defer to the Kremlin’s influence. So is Clop really deleting data it gathers, even incidentally, from government victims?

“We don’t think US government agencies were specifically targeted. Clop simply hit any vulnerable server running the software,” Liska says of the MOVEit campaign. “But it is highly likely that any information Clop collected from the US government or other interesting targets was shared with the Kremlin.”