Russian cybercrime gang hacks federal agencies

A Russian-speaking cybercriminal group called CL0P has been waging a widespread data extortion campaign involving a vulnerability in MOVEit. | Sean Gallup/Getty Images

Multiple federal agencies are responding to a large-scale breach affecting a product used to transfer sensitive data, the Cybersecurity and Infrastructure Security Agency confirmed Thursday.

The hacks are connected to a file-transfer program called MOVEit, which has a security hole that a Russian-speaking extortion gang called CL0P has recently exploited to steal data from dozens of organizations across the globe and demand ransom payments.

“CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, executive assistant director for Cybersecurity at CISA, said in a statement. “We are working urgently to understand impacts and ensure timely remediation.”

The government has determined that CL0P perpetrated the attacks on the agencies, a senior administration official told reporters Thursday. The official was granted anonymity as a condition of speaking in detail about the campaign.

No civilian federal agencies have received a ransom demand or had their data leaked, and the government has not been in contact with CL0P, the official said. The person added that CISA is “not aware of any impact” to military branches or the intelligence community.

CISA and the National Security Council did not respond to a request for comment about which federal agencies had been hacked in the breach, which was first reported by CNN. About a dozen U.S. agencies have active contracts with MOVEit, according to the federal data procurement system, including the Department of Energy. CyberScoop reported Thursday that the agency’s systems were among those breached. DOE did not respond to a request for comment on the hack.

“We’ve been working closely … with the FBI and with our federal partners to understand prevalence within federal agencies,” CISA Director Jen Easterly told reporters in a briefing.

A spokesperson for the FBI declined to comment on the incidents, but pointed to a cyber advisory put out jointly with CISA on the MOVEit vulnerability last week that encouraged organizations to address threats from CL0P ransomware. The NSA did not respond to requests for comment on the attacks.

File-transfer applications have become popular targets for ransomware groups because they are a one-stop shop for victims to host sensitive data. CL0P has exploited vulnerabilities in two similar products in the past, CISA and the FBI said in their advisory.

An aide for Senate Homeland Security and Governmental Affairs Committee Chair Gary Peters (D-Mich.) said via an email that Peters “is aware of this situation and our office has asked CISA for more information on the impacts of this vulnerability.” The aide was granted anonymity to discuss the evolving investigation.
CL0P is believed to have begun stealing the files of a number of unnamed victims on Labor Day weekend, according to the government advisory. The group gave them until June 14 to respond to its ransom demand, and threatened to publish victims’ sensitive data if they did not, according to security researchers.

Given CL0P’s likely ties to the Kremlin, it should come as no surprise that no federal agencies’ data has leaked thus far, said Allan Liska, a ransomware expert at Recorded Future who monitors the group’s online presence.

“They likely have to check with their handlers before releasing that type of information,” Liska said.

The breach is the latest of a series of cyberattacks aimed at federal agencies in recent years. Most famously, in 2020 at least a dozen agencies were compromised as part of the SolarWinds breach, in which Russian government hackers gained access to these systems for over a year through exploiting a vulnerability in an update in software from cybersecurity group SolarWinds.