The Department of Energy (DOE) confirmed late Thursday it experienced a data breach by a notorious Russian cybercriminal group, one of several state and federal agencies hit with cyberattacks connected to the same global hacking operation, according to media reports.
The number of known victims has reached at least 47 by Thursday, including private companies, American universities and NATO governments “plus a number of as yet unidentified U.S. government agencies, Brett Callow, a cyber threat analyst with Emsisoft, told CBS News. CISA directer Jen Easterly confirmed a ransomware group calling itself Cl0p orchestrated the massive attack but that the breaches would not pose a “systemic risk” to national security or U.S. networks.
“Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” Easterly told reporters on a press call Thursday. (RELATED: China Hacked Critical Networks To Spy On US Ahead Of Potential Conflict, Officials Say)
CISA officials declined to say which federal agencies were impacted in the campaign besides specifying that only a small number were dealing with the attack, but DOE later confirmed that it had reported an incident to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), according to The New York Times. DOE notified Congress of the breach and confirmed two entities within the department had been compromised.
“DOE took immediate steps to prevent further exposure to the vulnerability,” press secretary Chad Smith told the NYT.
At the time, there was no indication any military or government intelligence organizations had been hit, a senior official told CBS News.
Other known victims include Johns Hopkins University, the University of Georgia, the BBC, British Airways, Shell, and state government organizations in Minnesota, Illinois, Louisiana and Oregon, according to media reports and cybersecurity analysts.
The State Department and Transportation Security Administration told CNN they were not victims of the attack.
cl0p confirms Microsoft’s attribution of the MOVEit breaches. pic.twitter.com/mcwxQoWCVv
— Raphael Satter (@razhael) June 5, 2023
The Russian cybercrime group, which calls itself Cl0p, claimed their attack began last week and affected “hundreds” of organizations, according to Cybernews.
Cybersecurity researchers believe the gang became active in 2014 but began operating ransomware in 2019 operates with the unspoken backing of the Russian government, according to CBS and cyber threat analysts.
#Cl0p #MOVEit #YeahRight pic.twitter.com/u8ErX8Yys0
— Brett Callow (@BrettCallow) June 15, 2023
The hackers found a vulnerability in a widely-used software called MOVEit that helps companies transfer large files, Anne Neuberger, deputy national security advisor for cyber and emerging technology for the National Security Council, told CBS News.
“They’ve (the hackers) started releasing some of the data that was stolen as part of their work to extort these companies,” Neuberger said, although the senior CISA official told CBS that federal agencies have not received any demands for payment in exchange for the safe restoration of locked data.
If victims do not pay the ransom by the Wednesday deadline Cl0p set, they could have their data from the encrypted, or locked, files leaked publicly and be identified as victims, according to the NYT and CBS. However, as of Thursday, no federal agencies were listed on the gang’s victim site that can be accessed on the Dark Web.
” If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us,” Cl0p wrote. “We have no interest to expose such information.”
CISA “is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Eric Goldstein, CISA’s assistant director for cybersecurity, told CNN in a statement.
All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact licensing@dailycallernewsfoundation.org.