Russian Ransomware Group Targets US Agencies and Companies

A global cyberattack orchestrated by Russian cybercriminals has targeted numerous US federal government agencies, exploiting a vulnerability in commonly used software, according to a leading US cybersecurity agency. The US Cybersecurity and Infrastructure Security Agency (CISA) is “providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” stated Eric Goldstein, CISA’s executive assistant director for cybersecurity.

In addition to US government agencies, a senior CISA official revealed that “several hundred” US-based companies and organizations could be impacted by the hackers’ activities. The ransomware group Clop, allegedly behind the attack, is notorious for demanding multimillion-dollar ransoms. However, no ransom demands have been made against federal agencies so far.

Progress Software, the US company responsible for the exploited software, has identified a second vulnerability in the code and is currently working on a fix. Among the federal agencies affected by the ongoing hacking campaign is the Department of Energy, as confirmed by a department spokesperson. CISA Director Jen Easterly assured reporters that the hacks have not caused any “significant impacts” on federal civilian agencies, adding that the hackers have been “largely opportunistic.”

This recent wave of cyberattacks began two weeks ago, targeting major US universities and state governments. The situation is putting pressure on federal officials who have vowed to tackle the rising issue of ransomware attacks that have disrupted schools, hospitals, and local governments across the nation.

Since late last month, the hackers have exploited a flaw in the widely used software called MOVEit, which agencies and companies utilize to transfer data. Progress Software has discovered a new vulnerability in the software “that could be exploited by a bad actor.” The company has informed its customers about the necessary steps to secure their systems and has temporarily taken MOVEit Cloud offline while urgently working on a patch.

Several agencies were quick to deny being affected by the hack, including the Transportation Security Administration and the State Department. The Department of Energy has taken “immediate steps” to mitigate the impact after learning that records from two department entities had been compromised, according to a department spokesperson.

The Russian hackers were the first to exploit the MOVEit vulnerability, but experts warn that other groups may now have access to the software code needed to carry out attacks.

The ransomware group set a deadline for victims to make contact regarding ransom payments, which expired on Wednesday. Following this, the hackers began revealing more alleged victims from the cyberattack on their dark web extortion site. As of Thursday morning, no US federal agencies were listed on the site. The hackers stated in uppercase letters, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

CLOP ransomware group is among several gangs based in Eastern Europe and Russia that primarily focus on extracting as much money as possible from their victims. According to Rafe Pilling, director of threat research at Dell-owned Secureworks, the current activity of adding company names to their leak site serves as a scare tactic. He told CNN, “It’s a tactic to scare victims, both listed and unlisted, into paying.”