Several US agencies have been compromised by a hacking campaign in which attackers have exploited flaws in a popular software tool to collect information from a number of victims.
The US Cybersecurity and Infrastructure Security Agency, a unit of the Department of Homeland Security, confirmed on Thursday that several US government agencies were affected by hackers. Neither the names of the agencies nor the scope of the hacks were immediately clear.
Russian-speaking hackers known as Clop have carried out a series of recent attacks that exploited a vulnerability in MOVEit, a popular file transfer product.
“CISA is supporting several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, CISA’s deputy executive director for cybersecurity, said in a statement shared with Bloomberg. CNN previously reported that the agency was responding to hackers.
CISA is “working urgently to understand the impacts and ensure timely remediation,” Goldstein said. On June 1, CISA issued a security advisory about a vulnerability in the MOVEit software.
Thursday’s update comes after companies around the world reported their own experience with the hacking campaign.
Shell Plc said it was investigating a possible data breach after Clop pointed it out. The gang listed Shell among a dozen new alleged victims, spanning the US and Europe, on its website late Wednesday. In addition to Shell, the others included an American university, insurance companies and manufacturers, as well as banks, investment firms and financial services.
Although Clop gave the affected companies until June 14 to get in touch with their ransom demands, the group did not appear to have posted any stolen data on its website as of Thursday morning. Clop gained access through a flaw in Progress Software Corp.’s MOVEit product. Shell said the tool is used by “a small number of Shell employees and customers”.
“There is no evidence of an impact on Shell’s core IT systems,” said Amir Paivar, a company spokesman. “Our IT teams are investigating.” He added that the company was not communicating with the hackers.
German printing and packaging company Heidelberg was also on the list, although a spokesperson said the incident was countered and did not result in a data breach. Landal GreenParks, a Dutch camping and recreation company, said the gang had accessed guest data, including the names and contact details of around 12,000 people. A spokesman said it was unclear “whether they have taken advantage of this access”. The company informed the Dutch data protection authority and disabled the compromised server.
Previously disclosed victims have included IAG SA’s British Airways, British Broadcasting Corp. and the UK communications regulator Ofcom. Progress said it has released a patch for the flaw.
“We remain focused on supporting our customers by helping them take the necessary steps to further secure their environments, including applying the patches we’ve released,” said Progress spokesman John Eddy. “We also continue to share information transparently to better enable the entire industry to combat sophisticated cybercriminals intent on discovering and maliciously exploiting vulnerabilities in commonly used software products.”
The Clop gang has claimed to have information from “hundreds of companies”, although it is not clear how many are affected.
British Airways, pharmacy chain Boots and the BBC told staff that personal information may have been compromised following a cyber attack on their payroll provider, Zellis. Other victims included Aer Lingus, the government of Nova Scotia and the Minnesota Department of Education. In the latter case, hackers stole files that included about 95,000 names of foster students across the state.
Clop has said he deleted data from governments, cities and police agencies. But Kevin Burns, spokesman for the Minnesota Department of Education, said, “We’re taking all of this with a grain of salt.”
Clop, sometimes known as Cl0p, is the name of a ransomware variant that has been deployed against companies and organizations around the world, and sometimes also refers to the hacker gang that uses it. The gang is Russian-speaking and its attacks have caused hundreds of millions of dollars in damage, according to cybersecurity firm Trend Micro Inc.
Although several alleged gang members have been arrested, the group’s hacking activity did not stop, according to the US Department of Health and Human Services. Clop is the successor to the CryptoMix ransomware, which was believed to have been developed in Russia, and has been frequently used to target the healthcare industry, according to HHS.
In addition to deploying ransomware, which encrypts a victim’s files, Clop hackers sometimes steal data. Hacker groups are moving towards stealing data instead of encrypting files as a form of blackmailing victims.
