The US Cybersecurity and Infrastructure Security Agency (CISA) today confirmed with CNN that several US federal government agencies have fallen victim to a global cyberattack that exploits a vulnerability found in widely used software— file-transfer “MOVEit” applications.
This latest illicit cyber campaign reveals the widespread implications of a single software flaw when it is exploited by savvy criminals.
CISA is supporting impacted agencies, working to understand implications and toward expedient remediation. Although CISA Director Jen Easterly told MSNBC that she was “confident” there won’t be “significant impacts” to federal agencies from these hacks thanks to the government’s cyber defense improvements, according to CNN.
Who is Responsible for the Attack?
To add to the mystery, a CISA spokesperson wouldn’t comment when CNN asked who carried out the cyberattack and how many federal agencies had been affected.
While no group immediately claimed credit for the cyberattack of government agencies, “a Russian-speaking hacking group known as Clop last week claimed credit for some of the hacks [of universities and hospitals], which have also affected employees of the BBC, British Airways, oil giant Shell, and state governments in Minnesota and Illinois, among others,” according to CNN, noting that the recent hack can be added to a growing list of attacks involving large universities like Georgia State University and hospitals like Johns Hopkins.
This adds geopolitical complexity to the incident, underscoring the need for robust cybersecurity practices and international collaboration to effectively address cyber threats.
While the Russian hackers were the first to exploit the software vulnerability, experts believe other black hat hackers now have access to the software code needed to conduct similar attacks.
The Clop extortion site on the dark web has a growing list of alleged victims and a limited time frame for victims to pay their ransom.
The hackers didn’t list any federal agencies but rather wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information,” per CNN reporting.
If the recent attack on federal agencies was conducted by a Russian hacking group, it wouldn’t be the first time.
Many hacks have occurred with Russian hackers as the suspects, including an extensive hack of email systems at the Treasure and Commerce Departments in 2020.
Why are Russian Hackers So Often Blamed for Hacking Campaigns?
Russian hacking groups composed of Russian-speaking cybercriminals seem to dominate the ransomware racket where they are “shielded –and sometimes employed—by Russian intelligence agencies, according to security researchers, U.S. law enforcement, and now the Biden administration,” according to a 2021 Associated Press (AP) story.
The result, former British intelligence cyber chief Marcus Willett, is that ransomware damages emerging from Russian efforts are now into the tens of billions of dollars and “arguably more strategically damaging than state cyber-spying.”
Former Central Intelligence Agency analyst Michael van Landingham who now runs the consultancy Active Measures LLC and Karen Kazaryan, CEO of the software industry-supported Internet Research Institute in Moscow agree according to the AP article, noting that many cybercriminals operate with a kind of tacit and sometimes explicit agreement with the Russian security services – as long as they aren’t working against the Russian government or Russian businesses, if they are focused on stealing from Americans – that’s fine.
“In the U.S. alone last year [2020], ransomware struck more than a hundred federal, state and municipal agencies, upward of 500 hospitals and other health care centers, some 1,680 schools, colleges and universities and hundreds of businesses, according to the cybersecurity firm Emsisoft,” per the AP. “Damage in the public sector alone is measured in rerouted ambulances, postponed cancer treatments, interrupted municipal bill collection, canceled classes and rising insurance costs – all during the worst public health crisis in more than a century.”
The basics of such ransomware attacks consist of finding a software flaw, infiltrating malicious software into networks, “kidnapping” an organization’s data/files, and then demanding payment to restore them. Failure to pay may result in the publication of stolen data on the internet.
Meanwhile, collusion between criminals and the Russian government has been a longstanding issue, as stated by Adam Hickey, a U.S. deputy assistant attorney general to the AP. Cybercrime particularly serves as a convenient cover for espionage activities. In the past, Russian intelligence agencies recruited hackers to assist in operations. Today, there is a trend of ransomware criminals who are also state-employed hackers, engaging in cybercrime alongside their official roles.
Dmitri Alperovitch, former chief technical officer of Crowdstrike, revealed to the AP that the Kremlin sometimes offers arrested criminal hackers a choice: either face imprisonment or work for the state. This allows hackers to utilize the same computer systems for both state-sanctioned hacking and personal cybercriminal activities, blurring the line between official and personal pursuits. This mixing of state and personal business enables hackers to pursue personal enrichment while also carrying out state-sponsored hacking.
Such insights shed light on the complex relationship between criminals and the Russian government in the cyber domain.
These revelations also underscore the challenges in attributing cyber-attacks and emphasize the critical importance of robust cybersecurity measures. To mitigate the risks associated with such collaborations, organizations and governments must prioritize the development and implementation of effective cybersecurity strategies.
Progress Responds to Its Software Vulnerabilities in MOVEit Transfer and MOVEit Cloud
All those who use MOVEit need to protect their data as much as possible and follow Progress’ recommendations as they test their patch.
“We have taken HTTPs traffic down for MOVEit Cloud in light of the newly published vulnerability and are asking all MOVEit Transfer customers to immediately take down their HTTP and HTTPs traffic to safeguard their environments while the patch is finalized. We are currently testing the patch and we will update customers shortly,” according to a June 15 security notice. Denial of traffic can be done via modification of firewall rules.
The incident serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of proactive defense strategies. Government agencies are entrusted with sensitive information, including classified data and personally identifiable information (PII) of citizens. A successful breach not only compromises national security but also erodes public trust.
The increasing reliance on digital systems and the widespread availability of hacking tools have made cyber-attacks a pervasive threat. The importance of cybersecurity cannot be overstated as it plays a crucial role in safeguarding sensitive information, protecting national security, and ensuring the stability of our digital infrastructure.
Contact Horizon Helix today to proactively protect your data!
