Several U.S. government agencies have been hit in a global hacking campaign that showed vulnerability in often-used file-transfer software, said the nation’s cyber watchdog agency on Thursday.
The Cybersecurity and Infrastructure Security Agency (CISA) statement added to a growing list of entities in the U.K., U.S., and other countries whose systems were infiltrated through the MOVEit Transfer software. The hackers took advantage of a flaw in security that its maker, Progress Software, discovered late last month.
“We are working urgently to understand impacts and ensure timely remediation,” said CISA’s executive assistant director of cybersecurity, Eric Goldstein, in a statement.
CISA didn’t detail the impact on U.S. agencies or the impact on them.
The New York Times reported the Energy Department was among the agencies affected. The Times report also attributed the attack to a Russian ransomware group. However, it said CISA, a division of the Department of Homeland Security, didn’t have evidence linking the ransomware group to the Russian government.
“Although we are very concerned about this campaign, this is not a campaign like SolarWinds that poses a systemic risk,” said CISA director Jen Easterly to reporters on Thursday, according to the Times report. Easterly spoke of the massive data breach that compromised several intel agencies in the U.S. three years ago.
They said that the Johns Hopkins University, the University System of Georgia, the Johns Hopkins Health System, and British energy giant Shell were also hit in separate statements.
Anna Arata, a spokeswoman for Shell, said MOVEit Transfer is used by “a small number” of Shell customers and employees.
“There is no evidence of impact to Shell’s core IT systems,” said Arata. “There are around 50 users of the tool, and we are urgently investigating what data may have been impacted.”
Johns Hopkins said it was “investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks, as well as thousands of other large organizations around the world.”
The University System of Georgia, which includes about 26 public colleges, said it was “evaluating the scope and severity of this potential data exposure” from the MOVEit hack.
Large organizations, including the U.K.’s British Airways, its telecom regulator, drugstore chain Boots, and the BBC, emerged as victims last week.
The U.K. telecom regulator said hackers stole data from their system while tens of thousands of BBC, British Airways, and Boots employees had also exposed personal information.
The National Security Agency and FBI also didn’t immediately respond to emails seeking details on the breaches.
The U.S. does not expect any “significant impact” from the breach, said CISA Director Jen Easterly to MSNBC.
MOVEit is typically used by organizations to transfer files between customers or their partners. A MOVEit spokesperson said the company had “engaged with federal law enforcement” and was cooperating with customers to help them apply fixes to their systems.
New vulnerabilities found
Progress Software’s shares fell 6.1% Thursday. The company divulged another “critical vulnerability” found in MOVEit Transfer Thursday, although it wasn’t clear whether hackers had exploited it.
Clop, an online extortion group that has claimed credit for the MOVEit hack, previously said it wouldn’t exploit any data retrieved from government agencies.
“IF YOU ARE A GOVERNMENT, CITY OR POLICE SERVICE DO NOT WORRY, WE ERASED ALL YOUR DATA,” the group stated on its website.
Clop did not respond immediately to a request for comment.
A security researcher at Huntress, John Hammond, said MOVEit transfers sensitive information, such as bank customers uploading their financial information for loan applications.
“There’s a whole lot of potential for what an adversary might be able to get into,” Hammond said earlier this month.