KEY POINTS

  • Clop, a ransomware gang with alleged ties to Russia, is believed to be responsible for the cyberattack
  • The DOE confirmed that data was compromised at two of its entities
  • An NSC official said the hackers have started releasing some of the data they stole

Several U.S. federal agencies and some companies have been targeted by a global cyberattack allegedly carried out by a Russian-linked ransomware gang, officials revealed Thursday.

Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told CNN Thursday that the agency was "providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications."

MOVEit Transfer by Progress Software is used by many organizations in the U.S. and around the world to transfer data. The software company issued a security advisory Thursday that said it detected "a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment."

As per CNN's report, a senior CISA official told journalists Thursday that aside from American agencies, "several hundred" U.S. companies and organizations may have been affected by the cyberattack.

The U.S. Department of Energy (DOE) said there was a data compromise at two of its entities — DOE contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico — when the cybercriminals gained access to its MOVEit application, Reuters reported.

Clop, a Russia-linked ransomware group, has claimed credit for the MOVEit hack, according to the outlet. The cyber gang reportedly said it wouldn't exploit any of the data obtained from government agencies, adding that all government-obtained data has been deleted.

Meanwhile, Johns Hopkins University and Johns Hopkins Health System said an investigation has been launched into a "recent cybersecurity attack targeting a widely used software tool that affected our networks, as well as thousands of other large organizations around the world."

Although Clop claimed credit for the MOVEit hack, experts told CNN that other ransomware groups may have also obtained access to software code needed to conduct cyberattacks.

Anne Neuberger, the National Security Council's deputy national security advisor for cyber and emerging technology, told CBS News that the hackers have "started releasing some of the data that was stolen as part of their work to extort" affected groups.

"We strongly encourage anyone who was a user of the software to, of course, patch, lock down their systems," Neuberger said.

Brett Callow, cyber threat analyst at anti-virus and decrypting firm Emsisoft, said there were 47 confirmed victims of the recent cyberattack, excluding "a number of as yet unidentified U.S. government agencies."

A CISA official said there was no indication that any of the country's intelligence or military departments have been affected. "This is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation's networks," the official said, as per CBS.

The SolarWinds hack that was carried out by cybercriminals linked to Russia in 2020 affected some of the country's biggest agencies, including the Treasury Department.

IT company SolarWinds said at the time that it was advised the cyberattack was "likely conducted by an outside nation-state."

The Department of Homeland Security (DHS) was also reportedly targeted in the SolarWinds cyberattack.

Earlier this month, the CISA and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory warning that Clop had allegedly started exploiting a vulnerability in MOVEit Transfer.

The two agencies described Clop as a hacker gang that uses "the 'double extortion' tactic of stealing and encrypting victim data, refusing to restore victim access and publishing exfiltrated data" on anonymous web browser Tor or the gang's own leaks website.

Rafe Pilling, director of threat research at safety solutions firm Secureworks, told CNN that experts deem the adding of company names on hackers' leak sites "a tactic to scare victims, both listed and unlisted, into paying."

In April, Britain's National Cyber Security Center (NCSC) warned of an alleged emerging threat to Western national infrastructure by hackers sympathetic to Russia.

"Some [hackers] have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure, including in the U.K. We expect these groups to look for opportunities to create such an impact, particularly if systems are poorly protected," the British NCSC said at the time.

A 3D printed model of men working on computers are seen in front of displayed binary code and words "Hacker" in this illustration taken, July 5, 2021.
A 3D printed model of men working on computers are seen in front of displayed binary code and words "Hacker" in this illustration taken, July 5, 2021. Reuters / DADO RUVIC