Below: An unlikely duo reportedly considers purchasing NSO’s assets, and the E.U. bans equipment made by Chinese telecom companies from its internal networks. First:

The wait is over for the big fallout to arrive from a ransomware gang mass-exploiting a vulnerability in the MOVEit Transfer file-sharing tool. And U.S. government agencies are on the growing victim list.

That fallout is pretty mixed, overall. There are worrisome elements to some of what’s happening, but there are also reasons to think things aren’t as bad as other similar, past incidents, according to cybersecurity experts and authorities.

A senior Cybersecurity and Infrastructure Security Agency official said that only a “small number” of U.S. agencies have been impacted by an attack campaign likely carried out by the ransomware gang known alternately as Clop or Cl0p. And CISA Director Jen Easterly said the hackers didn’t appear to acquire “specific, high-level information” from the agencies.

On the other hand, those government compromises reportedly include a government-managed radioactive waste storage site, and the known victim count beyond government agencies was at approximately 50 as of Thursday night, by one count — with the hackers saying they had hundreds of victims. And there’s a chance that other hackers might have exploited, or might soon exploit, the vulnerability.

And that’s only part of the implications — which span the not-so-bad, worse and less clear.

In terms of severity, Easterly told reporters, the attacks don’t compare to one of the biggest to hit federal agencies — the SolarWinds campaign discovered in 2020. “Although we are very concerned about this campaign … this is not a campaign like SolarWinds that presents a systemic risk to our national security,” she said Thursday.

A U.S. official speaking on the condition of anonymity because of the matter’s sensitivity said agencies have been aware of the issue for weeks and have taken steps to mitigate it. The senior CISA official said they weren’t aware of any agencies currently running unpatched versions of MOVEit at the moment. (CISA ordered federal agencies to patch the software around two weeks ago.)

There also isn’t evidence of the Russian-speaking Clop gang coordinating with Moscow, the CISA official said. And the official wasn’t aware of any impact on U.S. military branches or the intelligence community at this time. Sean Lyngaas of CNN first reported that government agencies were affected.

Clop has said it will delete any government data. That’s a sign that ransomware gangs are scared of drawing government attention, said Tom Bossert, the former homeland security adviser in President Donald Trump’s White House.

“The aggressive takedowns of ransomware groups by the U.S. government appears to be having a positive effect,” Bossert, now president and chief strategy officer at the Trinity Cyber firm, told me. “They’re so afraid they’d be taken down, that they put out a statement.”

Easterly referred to the attack as “opportunistic,” something that Chris Yule, director of threat research at the cyber company Secureworks’ Counter Threat Unit, backed up in an email.

“This attack took place by mass-exploiting vulnerable systems, so was opportunistic in nature — it’s unlikely the group has purposely targeted government agencies,” he told me. “They’ve promised to not publish any government data they may have inadvertently got their hands on and so are unlikely to make any money from it. But even if they don’t publish it publicly, the data is still in the wrong hands and that will be a concern for those impacted organizations.”

Of course, it’s never great when hackers are hitting big, important targets. But some parts of the MOVEit story make it especially bad.

If Clop is exploiting the vulnerability, then it’s probable U.S. cyber adversaries like the governments of China, Iran, North Korea and Russia are exploiting it too, Bossert said. “Our most sophisticated adversaries most likely, almost assuredly, used it to gain and keep access, a kind of beachhead into our critical networks,” he said.

The two known U.S. government victims are at the Energy Department, one of which is reportedly the radioactive waste site that the department manages.

The hackers are asking for an awful lot of money, tweeted Christopher Glyer, principal security researcher at Microsoft Threat Intelligence.

Sometimes it’s a bit of a mystery whether something is going badly or well. In early June, the cyber firm Censys found 3,000 MOVEit hosts exposed to the internet. About a week later, it had dropped to 2,600. Censys also broke down those numbers by industry and geography.

“The thinking there is, maybe some of them got attacked and were pulled offline,” Emily Austin, a researcher at the company, told me. “Maybe some of those were mitigation moves. We don’t exactly know the breakdown there.”

And maybe the fallout isn’t entirely over yet, either. Said Austin: “It doesn’t seem like maybe the worst we’ve ever seen, but I think we haven’t seen the worst of it yet.”

Ellen Nakashima contributed to this report.

A Russian national was arrested in Arizona and charged with participating in notorious LockBit ransomware attacks against victims in the United States and around the world, AJ Vicens reports for CyberScoop.

Ruslan Magomedovich Astamirov, 20, was taken into custody Wednesday, according to the outlet. The announcement marks the third instance of a Russia-affiliated individual arrested in connection to LockBit activities.

“Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities,” Vicens writes.

After it published its story on the potential deal, a Wrigley spokesperson told the Guardian that “Mr Wrigley evaluates many opportunities, all of which are strictly confidential. Mr Wrigley is not pursuing an investment in NSO.”

The development is one of several in which entities, including U.S. defense contractors, have considered taking ownership of the company.

The development comes as Hanan Elatr, the wife of murdered journalist Jamal Khashoggi, sued NSO alleging the group infected her phone with the spyware to track her late husband, our colleague Dana Priest reports.

The move comes as the E.U. faces increased pressure from U.S. counterparts to take a tougher stance on China, the report notes. The U.S. has previously taken action against Huawei and ZTE, claiming they pose a security threat and could enable Chinese officials to conduct espionage or disrupt networks. The companies deny the allegations.

Meanwhile, the European Union’s industry chief, Thierry Breton, on Thursday urged more E.U. nations to join in restricting or banning the companies, Foo Yun Chee reports for Reuters.

“To date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors,” Breton said in a news conference. “This is too slow, and it poses a major security risk and exposes the Union’s collective security, since it creates a major dependency for the E.U. and serious vulnerabilities.”

Thanks for reading. See you next week.