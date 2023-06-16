



June 15 (Reuters) – The U.S. Department of Energy and several other federal agencies have been hit by a global hacking campaign that exploited a vulnerability in widely used file transfer software, officials said on Thursday.

Data was “compromised” at two Department of Energy entities when hackers gained access through a security breach in MOVEit Transfer, the department said in a statement.

A DOE official said those entities were DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant – the New Mexico-based facility for the disposal of defense-related nuclear waste.

British energy giant Shell , University System of Georgia, Johns Hopkins University and Johns Hopkins Health System were also affected, the three groups said in separate statements. The latter is a non-profit organization that collaborates with the university and manages six hospitals and primary care centers.

The new victims add to a growing list of entities in the United States, Britain and other countries whose systems have been infiltrated via MOVEit Transfer software. The hackers took advantage of a security flaw that its creator, Progress Software (PRGS.O), discovered late last month.

Russia-linked extortion group Cl0p, which claimed responsibility for the MOVEit hack, said in a statement earlier that it would not mine any data from government agencies and that it had erased all such data. He did not immediately respond to a request for additional comment.

The US Cybsecurity and Infrastructure Security Agency (CISA) said it was helping several federal agencies that had been breached, but did not name them.

“At this time, we are not tracking any material impact to the Federal Civilian Executive (.gov) business, but we continue to work with our partners on this matter,” the agency said in a statement.

The Department of Energy, which manages U.S. nuclear infrastructure and energy policy, said it notified Congress of the breach and was participating in investigations with law enforcement and the CISA.

A Shell spokesperson said there was no evidence of impact to Shell’s core IT systems from the MOVEit Transfer-related breach. “There are around 50 users of the tool, and we are urgently investigating what data may have been impacted,” she added.

Johns Hopkins also said it was “investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks.”

The Georgia University System, which includes about 26 public colleges, said it was “assessing the scope and severity of this potential data exposure” from the MOVEit hack.

Major organisations, including UK telecoms regulator British Airways, the BBC and pharmacy chain Boots, fell victim last week.

CISA did not immediately respond to requests for additional comment. The FBI and National Security Agency also did not immediately respond to emails requesting details of the violations.

A MOVEit spokesperson said the company has “engaged with federal law enforcement” and is working with customers to help them patch their systems.

Shares of Progress Software ended down 6.1% on Thursday. The company revealed another “critical vulnerability” found in MOVEit Transfer on Thursday, although it was unclear if it had been exploited by hackers.

MOVEit Transfer is a popular tool used by organizations to share sensitive information with partners or customers. It could be used by customers of a bank, for example, to upload their financial data for loan applications, said John Hammond, security researcher at Huntress.

“There’s a lot of potential for what an opponent could do,” he said earlier this month.

