Multiple US agencies were compromised by a hacking campaign in which attackers have exploited flaws in a popular software tool to gather information from a range of victims.
The US Cybersecurity and Infrastructure Security Agency, a unit of the Department of Homeland Security, confirmed Thursday that several US government agencies were affected by hackers. Neither the names of the agencies nor the scope of the hacks were immediately clear.
Russian-speaking hackers known as Clop have carried out a spate of recent attacks that exploited a vulnerability in MOVEit, a popular file-transfer product.
“CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement shared with Bloomberg. CNN previously reported the agency was responding to hacks.
CISA is “working urgently to understand impacts and ensure timely remediation,” Goldstein said. On June 1, CISA issued a security advisory about a vulnerability in MOVEit software.
The update Thursday comes after companies throughout the world have pointed to their own experience with the hacking campaign.
Shell Plc said it was investigating a possible data breach after it was targeted by Clop. The gang listed Shell among a dozen alleged new victims, spanning the US and Europe, on its website late Wednesday. Besides Shell, the others included a US university, insurance and manufacturing firms, as well as banks, investment and financial services companies.
While Clop gave affected companies until June 14 to get in touch about its ransom demands, the group doesn’t appear to have published any stolen data on its website as of Thursday morning. Clop gained access via a flaw in the MOVEit product from Progress Software Corp. Shell said that the tool is used by “a small number of Shell employees and customers.”
“There is no evidence of impact to Shell’s core IT systems,” Amir Paivar, a company spokesman, said. “Our IT teams are investigating.” He added that the company was not communicating with the hackers.
German printing and packaging company Heidelberg was also on the list, though a spokesperson said the incident was countered and didn’t lead to a data breach. Landal GreenParks, a Dutch campsite and recreation company, said the gang had accessed guest data, including names and contact details of about 12,000 people. A spokesperson said it’s unclear “whether they have taken advantage of that access.” The company informed the Dutch data protection authority and disabled the compromised server.
Previously disclosed victims have included IAG SA’s British Airways, the British Broadcasting Corp. and the UK communications regulator Ofcom. Progress said it has issued a patch for the flaw.
“We remain focused on supporting our customers by helping them take the steps needed to further secure their environments, including applying the patches we have released,” according to John Eddy, a Progress spokesperson. “We are also continuing to share information in a transparent way to better enable the entire industry to combat sophisticated cybercriminals intent on uncovering and maliciously exploiting vulnerabilities in commonly used software products.”
The Clop gang has claimed it has information from “hundreds of companies,” though it’s unclear how many are affected.
British Airways, the pharmacy chain Boots and the BBC told staff that personal information may have been compromised after a cyberattack on their payroll provider, Zellis. Other victims included Aer Lingus, the government of Nova Scotia and the Minnesota Department of Education. In the latter case, the hackers stole files that included about 95,000 names of students placed in foster care throughout the state.
Clop has said it erased data from governments, cities and police agencies. But Kevin Burns, a spokesman for the Minnesota Department of Education, said, “We are taking all of that with a grain of salt.”
Clop, sometimes referred to as Cl0p, is the name of a ransomware variant that has been deployed against companies and organizations around the world, and it also sometimes refers to the hacking gang that uses it. The gang is Russian-speaking and its attacks have caused hundreds of millions of dollars in damage, according to the cybersecurity firm Trend Micro Inc.
While several alleged members of the gang have been arrested, the group’s hacking activity wasn’t interrupted, according to the US Department of Health and Human Services. Clop is the successor to CryptoMix ransomware, which was believed to have been developed in Russia, and it has frequently been used to target the health-care industry, according to HHS.
In addition to deploying ransomware, which encrypts a victim’s files, Clop hackers sometimes steal data. Hacking groups are moving toward stealing data rather than encrypting files as a way to blackmail victims.