Welcome to The Cybersecurity 202! We won’t publish Monday for the Juneteenth holiday. That means we’ll see you next on Tuesday, when I’ll be one year older (and hopefully wiser).

Below: An unlikely duo reportedly considers purchasing NSO’s assets, and the E.U. bans equipment made by Chinese telecom companies from its internal networks. First:

Clop’s exploitation of the MOVEit vulnerability claims government victims

The wait is over for the big fallout to arrive from a ransomware gang mass-exploiting a vulnerability in the MOVEit Transfer file-sharing tool. And U.S. government agencies are on the growing victim list.

That fallout is pretty mixed, overall. There are worrisome elements to some of what’s happening, but there are also reasons to think things aren’t as bad as other similar, past incidents, according to cybersecurity experts and authorities.

A senior Cybersecurity and Infrastructure Security Agency official said that only a “small number” of U.S. agencies have been impacted by an attack campaign likely carried out by the ransomware gang known alternately as Clop or Cl0p. And CISA Director Jen Easterly said the hackers didn’t appear to acquire “specific, high-level information” from the agencies.

On the other hand, those government compromises reportedly include a government-managed radioactive waste storage site, and the known victim count beyond government agencies was at approximately 50 as of Thursday night, by one count — with the hackers saying they had hundreds of victims. And there’s a chance that other hackers might have exploited, or might soon exploit, the vulnerability.

And that’s only part of the implications — which span the not-so-bad, worse and less clear.


In terms of severity, Easterly told reporters, the attacks don’t compare to one of the biggest to hit federal agencies — the SolarWinds campaign discovered in 2020. “Although we are very concerned about this campaign … this is not a campaign like SolarWinds that presents a systemic risk to our national security,” she said Thursday.

A U.S. official speaking on the condition of anonymity because of the matter’s sensitivity said agencies have been aware of the issue for weeks and have taken steps to mitigate it. The senior CISA official said they weren’t aware of any agencies currently running unpatched versions of MOVEit at the moment. (CISA ordered federal agencies to patch the software around two weeks ago.)

There also isn’t evidence of the Russian-speaking Clop gang coordinating with Moscow, the CISA official said. And the official wasn’t aware of any impact on U.S. military branches or the intelligence community at this time. Sean Lyngaas of CNN first reported that government agencies were affected.

Clop has said it will delete any government data. That’s a sign that ransomware gangs are scared of drawing government attention, said Tom Bossert, the former homeland security adviser in President Donald Trump’s White House.

“The aggressive takedowns of ransomware groups by the U.S. government appears to be having a positive effect,” Bossert, now president and chief strategy officer at the Trinity Cyber firm, told me. “They’re so afraid they’d be taken down, that they put out a statement.”

Easterly referred to the attack as “opportunistic,” something that Chris Yule, director of threat research at the cyber company Secureworks’ Counter Threat Unit, backed up in an email.

“This attack took place by mass-exploiting vulnerable systems, so was opportunistic in nature — it’s unlikely the group has purposely targeted government agencies,” he told me. “They’ve promised to not publish any government data they may have inadvertently got their hands on and so are unlikely to make any money from it. But even if they don’t publish it publicly, the data is still in the wrong hands and that will be a concern for those impacted organizations.”


Of course, it’s never great when hackers are hitting big, important targets. But some parts of the MOVEit story make it especially bad.

Progress Software, the company that makes MOVEit, revealed another critical vulnerability on Thursday.

If Clop is exploiting the vulnerability, then it’s probable U.S. cyber adversaries like the governments of China, Iran, North Korea and Russia are exploiting it too, Bossert said. “Our most sophisticated adversaries most likely, almost assuredly, used it to gain and keep access, a kind of beachhead into our critical networks,” he said.

The two known U.S. government victims are at the Energy Department, one of which is reportedly the radioactive waste site that the department manages.

  • “The U.S. Department of Energy (DOE) takes cybersecurity and the responsibility to protect its data very seriously,” spokesperson Chad Smith said via email.
  • “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified” CISA, Smith continued. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”

The hackers are asking for an awful lot of money, tweeted Christopher Glyer, principal security researcher at Microsoft Threat Intelligence.

The list of known victims keeps growing to include big organizations like Johns Hopkins University, Shell and Ernst & Young. And Clop has begun extorting its victims.

Less clear

Sometimes it’s a bit of a mystery whether something is going badly or well. In early June, the cyber firm Censys found 3,000 MOVEit hosts exposed to the internet. About a week later, it had dropped to 2,600. Censys also broke down those numbers by industry and geography.

“The thinking there is, maybe some of them got attacked and were pulled offline,” Emily Austin, a researcher at the company, told me. “Maybe some of those were mitigation moves. We don’t exactly know the breakdown there.”

And maybe the fallout isn’t entirely over yet, either. Said Austin: “It doesn’t seem like maybe the worst we’ve ever seen, but I think we haven’t seen the worst of it yet.”

Ellen Nakashima contributed to this report.

The keys

Russian national arrested, charged for role in LockBit ransomware attacks

A Russian national was arrested in Arizona and charged with participating in notorious LockBit ransomware attacks against victims in the United States and around the world, AJ Vicens reports for CyberScoop.

Ruslan Magomedovich Astamirov, 20, was taken into custody Wednesday, according to the outlet. The announcement marks the third instance of a Russia-affiliated individual arrested in connection to LockBit activities.

  • “LockBit, which emerged in January 2020, was the most active ransomware variant in 2022 in terms of victims claimed on the group’s data leak site,” the report says, citing a June 14 advisory from the CISA.

“Astamirov’s case will be tried out of New Jersey, which is handling the cases of two other men accused of participating in LockBit ransomware attacks: Mikhail Vasiliev, a dual Russian and Canadian national, was arrested in November, and Mikhail Pavlovich Matveev, also known as Wazawaka, was indicted in May for alleged roles in LockBit attacks along with other cyber activities,” Vicens writes.

  • “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly … to identify ransomware perpetrators and bring them to justice,” U.S. Attorney Philip R. Sellinger for the District of New Jersey said in a statement.

Hollywood producer and gum magnate mulling purchase of NSO assets

A Hollywood producer and a gum magnate are considering purchasing notorious Israeli spyware firm NSO Group’s assets, Stephanie Kirchgaessner reports for the Guardian.

  • Robert Simonds, a US financier whose credits include producing several Adam Sandler films, has been engaged in talks to acquire the blacklisted spyware company’s assets,” the report says, citing people familiar with the matter.
  • Additionally, Kirchgaessner writes: “A firm owned by Simonds’s friend, William ‘Beau’ Wrigley — who was an heir to his family’s chewing gum fortune and has since become involved in the cannabis industry — has conducted due diligence in connection to a possible NSO deal, according to a document seen by the Guardian.”

After it published its story on the potential deal, a Wrigley spokesperson told the Guardian that “Mr Wrigley evaluates many opportunities, all of which are strictly confidential. Mr Wrigley is not pursuing an investment in NSO.”

  • An NSO spokesperson said they were not aware of the plans, according to the report. Simonds didn’t respond to the outlet’s request for comment.

The development is one of several in which entities, including U.S. defense contractors, have considered taking ownership of the company.

The development comes as Hanan Elatr, the wife of murdered journalist Jamal Khashoggi, sued NSO alleging the group infected her phone with the spyware to track her late husband, our colleague Dana Priest reports.

  • It also comes amid scrutiny of spyware around the world. The E.U. on Thursday adopted a resolution on spyware investigations and abuse.

E.U. bans Chinese telecom equipment from internal networks

The E.U. will ban equipment made by Chinese telecom companies Huawei and ZTE from its internal communications networks, Jillian Deutsch and Thomas Seal report for Bloomberg News.

  • Deutsch and Seal write: “As part of an effort to crack down on Chinese equipment in critical infrastructure, European Union’s executive arm urged countries to phase out high-risk vendors” from telecom networks, according to guidelines published Thursday.
  • Huawei said it “strongly opposes and disagrees” with the E.U. announcement, which it said was “clearly not based on a verified, transparent, objective and technical assessment of 5G networks,” Politico Europe’s Antoaneta Roussi reports.

The move comes as the E.U. faces increased pressure from U.S. counterparts to take a tougher stance on China, the report notes. The U.S. has previously taken action against Huawei and ZTE, claiming they pose a security threat and could enable Chinese officials to conduct espionage or disrupt networks. The companies deny the allegations.

Meanwhile, the European Union’s industry chief, Thierry Breton, on Thursday urged more E.U. nations to join in restricting or banning the companies, Foo Yun Chee reports for Reuters.

“To date, only 10 of them have used these prerogatives to restrict or exclude high-risk vendors,” Breton said in a news conference. “This is too slow, and it poses a major security risk and exposes the Union’s collective security, since it creates a major dependency for the E.U. and serious vulnerabilities.”

Securing the ballot

Industry report

National security watch

Global cyberspace

Hill happenings

On the move

  • Chetrice Mosley-Romero will conclude her service as Indiana’s first cybersecurity program director — effective June 19 — and will join CISA as the first cybersecurity state coordinator for Indiana.


  • Former Undersecretary of Defense for Intelligence Michael Vickers speaks at a Center for Strategic and International Studies event on U.S. intelligence operations at noon.

Secure log off

Thanks for reading. See you next week.

magnifier linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram