On June 15, a major hacking operation impacted several US federal agencies, including the Department of Energy (DOE), exploiting a vulnerability in the commonly used file-transfer software, MOVEit Transfer, according to official sources.
The cyberattack led to a data breach at two DOE divisions, the DOE contractor Oak Ridge Associated Universities and the New Mexico-based Waste Isolation Pilot Plant, a defense-related nuclear waste disposal facility. This occurred when hackers manipulated a security loophole in MOVEit Transfer, as stated by the DOE.
In addition, Shell, a prominent British energy company, the University System of Georgia, Johns Hopkins University, and Johns Hopkins Health System also suffered from the hacking campaign, as confirmed by separate statements from the affected organizations. The latter is a nonprofit that collaborates with Johns Hopkins University and oversees six hospitals and primary care centers.
These victims join an expanding list of affected entities in the US, UK, and beyond, all infiltrated via the MOVEit Transfer software. The cyberattackers took advantage of a security flaw discovered last month by the software's developer, Progress Software.
The Russia-affiliated ransomware group Cl0p, which has admitted to the MOVEit hack, previously stated that it would not misuse any data stolen from government agencies and claimed to have deleted such data. The group has yet to respond to requests for additional comments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed it was assisting several breached federal agencies, although it did not disclose their names. The energy department, responsible for managing US nuclear infrastructure and energy policy, reported it had informed Congress about the breach and is collaborating with law enforcement and CISA in ongoing investigations.
Shell spokesperson has stated there's no indication of core IT systems being affected by the breach linked to MOVEit Transfer. Johns Hopkins University, the University System of Georgia, and other large organizations, including UK's telecom regulator, British Airways, BBC and Boots, have also been named as victims and are actively investigating potential data exposures and their consequences.
CISA, the FBI, and National Security Agency have not yet responded to requests for further details on the cyberattacks.
A spokesperson for MOVEit stated that the company is cooperating with federal law enforcement and helping customers to implement system fixes. On the same day, Progress Software's shares saw a decline of 6.1% and revealed another "critical vulnerability" in MOVEit Transfer, though it's unclear whether it has been exploited by hackers.
MOVEit Transfer is a crucial tool used by organizations to share sensitive information with stakeholders. It's employed in various scenarios, such as by bank customers uploading their financial data for loan applications. Hence, there's a significant risk of what cyber adversaries might gain access to, warns John Hammond, a security researcher at Huntress.