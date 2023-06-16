



A Russian ransomware group gained access to data from federal agencies, including the Department of Energy, in an attack that leveraged file transfer software to steal and resell user data, officials said Thursday. American officials.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, described the breach as largely opportunistic and neither focused on specific high-value information nor as damaging as previous cyberattacks on US government agencies.

While we are very concerned about this campaign, it is not a campaign like SolarWinds that poses systemic risk, Ms. Easterly told reporters on Thursday, referring to the massive breach that compromised several US intelligence agencies in 2020.

The Energy Department said Thursday that the records of two entities within the department were compromised and that it notified Congress and CISA of the breach.

The DOE took immediate action to prevent further exposure to the vulnerability, said Chad Smith, deputy press secretary for the Department of Energy.

State Department and FBI officials declined to say whether their agencies were affected.

According to an assessment by CISA and FBI investigators, Easterly said the breach was part of a larger ransomware operation by Clop, a Russian ransomware gang that exploited a vulnerability in MOVEit software and attacked a range local governments, universities and businesses. .

Earlier this month, public officials in Illinois, Nova Scotia and London revealed they were among the software users affected by the attack. British Airways and the BBC said they were also affected by the breach. Johns Hopkins University, the University System of Georgia and European oil and gas giant Shell released similar statements about the attack.

A senior CISA official said only a small number of federal agencies were affected, but declined to identify which ones. But, the official added, early reports from the private sector suggested that at least several hundred companies and organizations had been affected. The official spoke on condition of anonymity to discuss the attack.

According to data collected by GovSpend, a number of government agencies have purchased the MOVEit software, including NASA, the Treasury Department, Health and Human Services, and arms of the Department of Defense. But it wasn’t clear how many agencies were actively using it.

Clop previously claimed responsibility for the previous wave of violations on its website.

The group said it had no interest in mining data stolen from government or police offices and had deleted it, focusing only on stolen business information.

Robert J. Carey, president of cybersecurity firm Cloudera Government Solutions, noted that data stolen in ransomware attacks can easily be sold to other illegal actors.

Anyone using it is likely compromised, he said, referring to the MOVEit software.

The revelation that federal agencies were also among those affected was reported earlier by CNN.

A representative for MOVEit, which is owned by Progress Software, said the company has engaged with federal law enforcement and other agencies and will combat increasingly sophisticated and persistent cybercriminals who intend to ‘maliciously exploit vulnerabilities in widely used software products. The company initially identified the vulnerability in its software in May, releasing a patch, and CISA added it to its online catalog of known vulnerabilities on June 2.

Asked about the possibility of Clop acting in coordination with the Russian government, the CISA official said the agency had no evidence to suggest such coordination.

The MOVEit breach is another example of government agencies falling victim to cybercrime organized by Russian groups, as ransomware campaigns largely aimed at Western targets have repeatedly shut down critical civilian infrastructure, including hospitals, energy systems and municipal services.

Some attacks have always seemed to be primarily financially motivated, such as when as many as 1,500 businesses worldwide were affected by a Russian ransomware attack in 2021.

But in recent months, Russian ransomware groups have also engaged in ostensibly political attacks with the tacit approval of the Russian government, targeting countries that have backed Ukraine since Russia invaded last year.

Shortly after the invasion, 27 government institutions in Costa Rica suffered ransomware attacks by another Russian group, Conti, forcing the country’s president to declare a national state of emergency.

Cyberattacks from Russia were already a point of contention in US-Russian relations before the war in Ukraine. The issue was high on the White House agenda when President Biden met with Russian President Vladimir V. Putin in 2021.

A ransomware attack on one of the largest oil pipelines in the United States by a group believed to be in Russia has forced the pipeline operator to pay $5 million to recover its stolen data just a month before Ms. Biden and Mr. Putin. Federal investigators later said they recovered much of the ransom in a cyber operation.

Also on Thursday, analysts at cybersecurity firm Mandiant identified an attack on Barracuda Networks, an email security provider, which they say appears to be part of a Chinese espionage effort. The breach also affected a range of government and private organizations, including the ASEAN Foreign Ministry and foreign trade offices in Hong Kong and Taiwan, Mandiant wrote in his report.

