The Clop ransomware gang has hit at least three US government agencies by exploiting MOVEit file transfer flaws. The State Department offered a $10-million reward for proof of Clop links to a foreign government.

In the latest cyber incident affecting the US federal government, two arms of the US Department of Energy (DOE) and, according to press reports, the US Department of Agriculture and the Office of Personnel Management, have been swept up in a sprawling spree of attacks by the Russia-based Clop ransomware gang.

The Clop organization is exploiting vulnerabilities in Progress Software’s MOVEit Transfer security file transfer platform to attack dozens of public and private sector organizations worldwide. Progress disclosed the first flaw, a SQL injection vulnerability, on May 31. On June 9, Progress reported a second flaw, another SQL injection vulnerability, that “could lead to escalated privileges and potential unauthorized access to the environment.” The company has issued patches for both flaws.

The Clop gang is generally considered to be a Russian cybercriminal group (ostensibly not operating at the behest of the Kremlin) and it operates with impunity inside Russia’s border. However, the group’s status as a non-state actor could be numbered given that the US State Department’s Rewards for Justice program has announced up to a $10-million bounty for information conclusively linking the Clop ransomware attacks to a foreign government.

“I feel like this specific attack could be one of the largest cyberattacks that we’ve had in quite a while, if not the largest that we’ve experienced,” Demetrice Rogers, cybersecurity specialist and adjunct professor at Tulane University, tells CSO. “There are a lot of users of the MOVEit file transfer software, a lot of government organizations, a lot of private organizations and state governments,” so there’s no telling how many ultimate victims there are. Progress Software says thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.

An unknown number of agencies have been affected

In a press briefing last week, Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA), said these “opportunistic” agency attacks had not had “significant impacts” on government enterprise. Easterly said her agency was unaware that the Clop threat actors had threatened to extort or release any data stolen from government agencies at that time.

However, more recent reports suggested that the two DOE facilities, Oak Ridge Associated Universities and DOE’s Waste Isolation Pilot Plant near Carlsbad, New Mexico, had received ransom demands. These ransom demands run counter to Clop’s contention that they delete any data stolen from governments.

During the press briefing, one senior administration official said that after issuing a joint advisory with the FBI containing recommending actions and mitigations to address the MOVEit vulnerability, ”we quickly moved to drive national mitigation efforts, including by adding this vulnerability to our known exploited vulnerability catalog, thereby establishing a mandate for federal agencies to mitigate and sending a strong signal to the broader cybersecurity community.”

The official also said that the federal government is moving quickly to address other file-sharing applications and is “working with the broader technology community to ensure that every product has the appropriate security controls and design features to reduce the likelihood and prevalence of these kinds of intrusions.”

CISA says no evidence of impact on US military or intelligence  

CISA is not “going to disclose the identity of any other impacted agencies or victims” at this time, the official said. Still, the agency is “not aware of any impact to military branches or the IC at this time.” The attacks on the agencies occurred in the window between when the MOVEit flaw was announced and the agencies implemented patches. “At this point, we are not aware of any federal agencies that are running unmitigated instances of the MOVEit application.”

The official warned that “Every organization that is running this product across the country should have implemented the appropriate patch, and if they have not yet done so, they need to do so with all urgency, and CISA will continue amplifying the importance of these mitigations both nationally and through our regional teams to continue to drive mitigation and reduce the risk.” Meanwhile, “across the federal civilian executive branch, we are working with agency CIOs and CISOs to ensure that we understand any impacts and that appropriate actions are being taken in response.”

Other government and business organizations have been exploited

In addition to the US federal government, at least two state governments have been hit with Clop attacks, including the State of Oregon, which revealed that a MOVEit breach in its Department of Motor Vehicles system affected 3.5 million Oregonians with driver’s licenses or state ID cards. The State of Louisiana said that six million records were affected by a MOVEit-related breach of its Office of Motor Vehicles.

The Minnesota Department of Education said the personal information of 95,000 students was breached in a Clop exploitation of MOVEit. In Canada, the government of Nova Scotia announced it had suffered a breach in its MOVEit application.

Last week Clop released a list of its victims on its leak site, which names several US banks and universities. Many other private sector organizations across the globe, including the BBC, British Airways, drugstore giant Boots, and Shell are among the targets hit by the recent Clop attacks

Attacks are tied to a broader trend of data weaponization

Adam Meyers, senior vice president of intelligence at CrowdStrike, tells CSO that this recent spree by Clop “is tied to the broader activity we’re seeing of data weaponization, and data weaponization is something that has been driving a lot of these criminal actors.” He noted that his firm has found that 18% to 20% of ransomware attackers don’t even bother to demand ransoms anymore, jumping straight to data extortion instead. “When you think about these file transfer utilities that they’ve been hitting, it factors nicely into that broader trend of data extortion.”

“I would say that you could probably expect to see more of that, not less of that,” Meyers says, “because these file transfer sites represent a good opportunity for these threat actors to start stealing sensitive information and then extort the victim.”

When will the federal government know more?

Regarding why the federal government isn’t divulging a list of agencies hit by the Clop gang, Meyers said: “The government, like many industries and organizations, has a visibility challenge. They know where they know they have it, but they don’t know where they don’t have it.” Moreover, “the government isn’t one monolithic infrastructure. Agencies will have sub-infrastructures, field offices, and teams doing different stuff as part of their job. As a result, they may have set up their own infrastructure for file transfer stuff.”

Tulane’s Rogers says, “I have a feeling that Clop will post more organizations on their dark web leak site over the next several days. So, if the federal government doesn’t soon divulge more information on how many government agencies have been hit,” the Clop gang likely will.

Clop attacks could increase with new flaws

Clop’s exploitation of MOVEit flaws may just be beginning.  On top of the original vulnerabilities that led to the current round of attacks, Progress announced it had discovered a third vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.

The company issued a patch for this bug after a proof-of-concept for the flaw was released by a researcher who goes by the handle MCKSys Argentina. Progress warns that it is “extremely important” that all MOVEit customers take immediate action to address the issue.

Copyright © 2023 IDG Communications, Inc.