Senior government officials are racing to limit the impact of what’s believed to be a global cyberattack affecting U.S. federal agencies and allies, including NATO member countries.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed in a statement Thursday that it was providing support to several federal agencies “that have experienced intrusions affecting their [file transfer] applications.”
“We are working urgently to understand impacts and ensure timely remediation,” the statement continued.
Anne Neuberger, deputy national security advisor for cyber and emerging technology for the National Security Council, told CBS News Thursday that the hackers “compromised a vulnerability in a widely used software” that companies worldwide use “to move large files.”
“They’ve (the hackers) started releasing some of the data that was stolen as part of their work to extort these companies,” Neuberger said. “We strongly encourage anyone who was a user of the software to, of course, patch, lock down their systems.”
One cybersecurity expert characterized the breach as one of the largest theft and extortion events in recent history. Victims include Johns Hopkins University, the University of Georgia, the BBC and British Airways.
Cybersecurity experts say the hacking gang has been active since at least 2014 and is believed to operate from Russia with the tacit approval of Moscow’s intelligence services. CISA Director Jen Easterly identified the hackers as CLOP Ransomware.
“They’re basically taking data and looking to extort it,” Easterly said.
Brett Callow, a cyber threat analyst with Emsisoft, told CBS News that there were 47 confirmed victims so far, “plus a number of as yet unidentified U.S. government agencies.” He added that CLOP claimed “hundreds of organizations have been impacted.”
Late Thursday afternoon, a senior CISA official declined to identify which government agencies had been affected, but noted that the Energy Department had issued a statement indicating it had reported an incident to CISA. The official also said that at this time, there is no indication that any of the military branches or the intelligence community were impacted.
“This is not a campaign like Solar Winds that presents a systemic risk to our national security or our nation’s networks,” the official said, referring to a hugely disruptive cyberattack in 2020 that was traced to Russian military hackers.
Further, no federal agencies have so far received extortion demands and no federal data has been leaked, the official said.
Many organizations had already patched the vulnerability before the cyber actors were able to intrude, according to CISA.
CLOP works by seizing sensitive data and holding it for ransom, threatening “after 7 days your data will start to be published.” It’s exploiting a vulnerability in a software program called MoveIt Transfer, which is widely used to transfer data.
A CISA analyst note described CLOP as a ransomware variant that uses a double extortion ransomware strategy. The cybercriminal gang steals the information before encrypting it and then demands a ransom to head off the leaking of that information on CLOP’s ransomware site.
At this point, Easterly says the government is “focused specifically on the federal agencies that may be impacted” and is “working hand-in-hand with them to mitigate the risk.”
“We understand there are businesses, though, around the world,” she added.
Researcher Bret Callow says victims also include banks and credit unions.
The FBI and CISA warned last week that in late May, a ransomware gang began exploiting a vulnerability in a the file-sharing software MoveIt Transfer.
The FBI declined to comment, but referred CBS News to the security advisory about MoveIt, which also encouraged private sector partners to implement recommended measures to protect themselves from the ransomware and to report any suspicious cyber activity to local FBI offices and CISA.