The recent wave of cyber attacks targeting both government agencies and private companies has raised concerns about the security of sensitive data and the vulnerabilities present in widely used software. These cyberattack, including the one on Thursday that affected numerous federal agencies, have highlighted a common factor: the use of MOVEit, a software program designed for file transfer.
On June 5, both BBC and British Airways confirmed that they had fallen victim to a cyber exploit involving Zellis, a mutual third-party payroll provider. Zellis relies on MOVEit to handle files containing highly sensitive information such as employee bank account details, social security numbers, and other private data. However, what Zellis and its clients were unaware of was that MOVEit harbored a zero-day vulnerability, a flaw that had not been discovered or patched before the attacks occurred. This vulnerability allowed malicious actors to gain escalated privileges and unauthorized access to the environment.
While the company behind MOVEit, Progress Software, had knowledge of the vulnerability, its clients were left uninformed. Consequently, over 2,000 instances of exploitation took place, affecting organizations across the globe.
The recent cyberattack targeting software used across the United States has now impacted the US government as well. A spokesperson from the Department of Energy confirmed that the agency was among those affected by the attack. While the US Cybersecurity and Infrastructure Security Agency (CISA) has not disclosed the specific agencies involved, it noted that only a “small number” were victims of the attack. The extent and impact of the attack on the affected government agencies are still being assessed.
The identity of the responsible party behind the recent wave of cyberattacks targeting various organizations, including the US government, remains unclear. Previously, a Russian-speaking ransomware gang known as CLOP claimed responsibility for the hacks on BBC and British Airways. They demanded a ransom from the companies, threatening to publish private data if their demands were not met. However, the deadline for the ransom has passed, and no data has been released.
In response to the news of the US government attack, CLOP stated on its dark website that it had deleted all data belonging to government, city, and police services, assuring them that there was no need to contact the group. They requested that potential victims initiate negotiations with them instead. It is important to note that while CLOP may claim responsibility, other groups could also have exploited the MOVEit vulnerability, as it has been previously exposed. Therefore, the situation remains complex, and the involvement of multiple groups cannot be ruled out.
Eric Goldstein, the executive assistant director of the Cybersecurity and Infrastructure Security Agency (CISA), has acknowledged that CISA is actively assisting multiple federal agencies that have been targeted in cyberattacks. The agency is working diligently to assess the extent of the impacts and to facilitate prompt remediation measures.
Meanwhile, Progress Software, the company behind MOVEit, is taking steps to address the vulnerability by developing patches for the affected software. These patches are intended to fix the identified security flaws and enhance the overall resilience of MOVEit.