IOTW: US federal agencies hit with MOVEit cyber attack

A Russian-speaking hacking group successfully gained access to the email addresses of approximately 632,000 US federal employees within the US Departments of Defense and Justice during an extensive hack, according to a report obtained through a Freedom of Information Act.

The report, released by the US Office of Personnel Management (OPM), sheds light on the cyber attack's specifics, with the hackers exploiting vulnerabilities within the file-transfer tool MOVEit. However, little information was provided in the report about the attack’s scale or the affected agencies.

Government email addresses breached

Reporting to a congressional committee, the OPM revealed that an unauthorized actor had breached government email addresses, links to government employee surveys administered by the OPM, and internal OPM tracking codes.

The impacted employees were reportedly spread across the Department of Justice and various sectors of the Defense Department, including the Air Force, Army, US Army Corps of Engineers, and the Office of the Secretary of Defense among others.

The eight-page report by the OPM, originally presented to the House Science, Space, and Technology Committee in July, disclosed that the attack occurred on May 28-29, with hackers exploiting a vulnerability within the MOVEit file transfer program used by Westat Inc., a vendor that the OPM engages for federal employee viewpoint surveys. However, there was "no indication" that any unauthorized user had accessed the survey links.

Despite characterizing the hack as a "major incident," the OPM clarified that it did not perceive it as posing a significant risk, and the compromised data was "generally of low sensitivity" and unclassified.

The OPM’s disclosure was reported on 30 October by Bloomberg and Forbes, but the Department of Justice and the Department of Defense did not immediately respond to requests for comment.

MOVEit users targeted in cyber attack

According to reports, other US agencies such as the Department of Health and Human Services, the Department of Agriculture, and the General Services Administration, had previously confirmed their exposure to the MOVEit hack. Additionally, the Energy Department was said to have received ransom requests from the hackers after two of its entities had been victimized by the breach.

Progress Software Corp., the parent company of MOVEit, gave assurances that they have taken measures to mitigate the cyber attack's impact. The company said it empathized with the affected users and pledged to play a collaborative role in the industry-wide effort to combat cyber criminals.

According to reports, Westat responded to the attack by conducting a comprehensive investigation and collaborating with third-party specialists to enhance system security and reduce the likelihood of similar incidents occurring in the future.

Who is Clop?

The attack has been attributed to a Russian hacking group known as Clop, or ClOp. The group has been active since February 2019 and has a website located on the dark web where it routinely posts warnings or uploads data dumps from the organizations it has breached.

In June 2023, Clop posted a notice on the dark web warning firms it had exploited MOVEit to obtain data, giving the affected organizations a deadline to email them before the stolen data would be published. More than 100,000 staff at the BBC, British Airways and Boots were subsequently told that payroll data may have been taken. However, the BBC later reported that Clop, speaking over email, claimed ”we don't have that data" – raising the possibility that either another unknown hacking group had the stolen data or that Clop was lying.

Clop has reportedly survived multiple attempts to break its activities, including server raids by Ukrainian police in June 2021, which included arrests of multiple alleged hackers working for the group.

According to estimates, Clop has successfully attacked more than 230 organizations to date.

Get the latest insights on the cyber threat landscape

Download our 'Mid-Year State of Cyber Security Report' to learn about the current challenges that cyber security practitioners in Europe, the Middle East, Africa, and North America are facing, and discover where they are focusing their investment decisions in 2023 and beyond.

Read More