U.S. Agencies Breached in Cyberattack by Russian Ransomware Group
A Russian ransomware group gained access to data from federal agencies, including the Energy Department, in an attack that exploited file transfer software to steal and sell back users’ data, U.S. officials said on Thursday.
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, described the breach as largely “opportunistic” and neither focused on “specific high-valuable information” nor as damaging as previous cyberattacks on U.S. government agencies.
“Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” Ms. Easterly told reporters on Thursday, referring to the massive breach that compromised several U.S. intelligence agencies in 2020.
The Energy Department said on Thursday that records from two entities within the department had been compromised and that it had notified Congress and C.I.S.A. of the breach.
“D.O.E. took immediate steps to prevent further exposure to the vulnerability,” Chad Smith, the Energy Department’s deputy press secretary, said.
Representatives for the State Department and the F.B.I. declined to comment on whether their agencies were affected.
According to an assessment by C.I.S.A. and F.B.I. investigators, Easterly said, the breach was part of a larger ransomware operation carried out by Clop, a Russian ransomware gang that exploited a vulnerability in the software MOVEit and attacked an array of local governments, universities and corporations.
Earlier this month, public officials in Illinois, Nova Scotia and London disclosed that they were among the software users affected by the attack. British Airways and the BBC said they were also affected by the breach. Johns Hopkins University, the University System of Georgia, and the European oil and gas giant Shell have released similar statements on the attack.
A senior C.I.S.A. official said only a small number of federal agencies had been affected, but declined to identify which ones they were. But, the official added, initial reports from the private sector suggested that at least several hundred companies and organizations had been affected. The official spoke on the condition of anonymity to discuss the attack.
According to data collected by the company GovSpend, a number of government agencies have purchased the MOVEit software, including NASA, the Treasury Department, Health and Human Services and arms of the Defense Department. But it was not clear how many agencies were actively using it.
Clop previously claimed responsibility for the earlier wave of breaches on its website.
The group stated it had “no interest” in exploiting any data stolen from governmental or police offices and had deleted it, focusing only on stolen business information.
Robert J. Carey, the president of the cybersecurity firm Cloudera Government Solutions, noted that data stolen in ransomware attacks can easily be sold to other illegal actors.
“Anyone who’s using this is likely compromised,” he said, referring to the MOVEit software.
The revelation that federal agencies were also among those affected was earlier reported by CNN.
A representative for MOVEit, which is owned by Progress Software, said the company had “engaged with federal law enforcement and other agencies” and would “combat increasingly sophisticated and persistent cybercriminals intent on maliciously exploiting vulnerabilities in widely used software products.” The company originally identified the vulnerability in its software in May, issuing a patch, and C.I.S.A. added it to its online catalog of known vulnerabilities on June 2.
Asked about the possibility that Clop was acting in coordination with the Russian government, the C.I.S.A. official said the agency had no evidence to suggest such coordination.
The MOVEit breach is another example of government agencies falling victim to organized cybercrime by Russian groups, as ransomware campaigns aimed broadly at Western targets have repeatedly shut down critical civilian infrastructure including hospitals, energy systems and city services.
Some attacks have historically appeared to be primarily financially motivated, such as when as many as 1,500 businesses worldwide were hit with a Russian ransomware attack in 2021.
But in recent months, Russian ransomware groups have also engaged in ostensibly political attacks with tacit approval by the Russian government, homing in on countries that have supported Ukraine since Russia’s invasion last year.
Shortly after the invasion, 27 government institutions in Costa Rica suffered ransomware attacks by another Russian group, Conti, forcing the country’s president to declare a national state of emergency.
Cyberattacks originating in Russia were already a point of contention in U.S.-Russian relations before the war in Ukraine. The issue was at the top of the White House’s agenda when President Biden met with President Vladimir V. Putin of Russia in 2021.
A ransomware attack on one of the United States’ largest gasoline pipelines by a group believed to be in Russia forced the pipeline’s operator to pay $5 million to recover its stolen data just a month before Mr. Biden and Mr. Putin met. Federal investigators later said they recovered much of the ransom in a cyber operation.
Also on Thursday, analysts at the cybersecurity firm Mandiant identified an attack against Barracuda Networks, an email security provider, that they said appeared to be part of a Chinese espionage effort. That breach also affected a range of both governmental and private organizations, including the ASEAN Ministry of Foreign Affairs and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in its report.