A Russian-speaking cybercrime group’s latest strategy includes stealing information from several federal U.S. agencies, including the Department of Energy (DOE). The global hacking campaign impacted “several hundred” companies and organizations within the United States on this latest hacking spree, CISA officials said
“Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA),” a DOE spokesperson said. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”
The group, CL0P, is an established ransomware group, a type of organized cybercrime where hackers try to remotely extort victims by either remotely encrypting their data or stealing and threatening to publish files.
The Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that advises the nation on cyberattacks and helps protect federal networks, said that multiple agencies had been affected by CL0P’s recent spree.
The group appears to have used the MOVEit hack, which was first disclosed in May by Progress Software after it warned that hackers had found a way to break into its MOVEit Transfer tool.
MOVEit software allows for sensitive files to be transferred securely. Popular worldwide, most of its customer base is in the U.S. Around a dozen other U.S. agencies have active MOVEit contracts, according to the Federal Data Procurement System. This includes the Department of the Army, the Department of the Air Force and the Food and Drug Administration.
“This series of cyber-attacks is clearly a case of software supply chain risk,” explained Kumar Ritesh, founder and CEO of cybersecurity provider CYFIRMA.
CL0P has a known link to the Russian intelligence agency. Its name is derived from the Russian word “klop,” which translates to “bedbug.” The group first surfaced in 2019 using its namesake ransomware, which is part of the Cryptomix ransomware family. Clop is also noted for employing malware that is explicitly designed not to execute on Russian language systems, while it has continued to target entities around the world.
According to TechCrunch, CL0P “has added another batch of victims that it claims to have compromised via the MOVEit vulnerability, including the Boston Globe, California-based East Western Bank, New York-based biotechnology company Enzo Biochem and Microsoft-owned AI firm Nuance.”