The US Department of Health and Human Services was ensnared by a sweeping hacking campaign that exploited a flaw in file-transfer software called MOVEit, according to an official with the department.
The attackers gained access to data by exploiting MOVEit software used by third-party vendors, the official said, adding that no HHS systems or networks were compromised. Congress was notified of a “major incident” on June 27, according to the official, indicating it may involve exposure of data from 100,000 or more people.
However, HHS has no evidence to suggest internal email communications have been compromised, the official said.
HHS leadership believe the hackers to be a Russian-speaking group called Clop, the gang that has claimed responsibility for the MOVEit attacks, according to two other people familiar with the incident. The HHS official and the two people asked not to be identified because the details aren’t public.
The vulnerability allowed the hackers to steal files from companies and organizations that had been uploaded to MOVEit.
Among the other companies and organizations that were impacted are Ernst & Young, Honeywell, the government of Nova Scotia, the New York City Department of Education and the Louisiana Office of Motor Vehicles, where names, addresses, social security numbers and dates of birth were likely exposed for all Louisianans with a state-issued license. Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, tweeted Wednesday that 137 organizations are known to have been affected by the MOVEit attacks, compromising the records of more than 15 million people. That includes 16 entities in the US public sector, he said.
Several federal agencies “experienced intrusions affecting their MOVEit applications,” a US official said earlier this month, without naming them. Since then, further details have trickled out about the impact on the US government.
For instance, the US Department of Energy received ransom requests from the hackers after two of its entities fell victim to the intrusions.
A spokesperson for the US Department of Agriculture, in response to questions about the MOVEit breach, said fewer than 30 employees may have been impacted through a third-party vendor data breach. The USDA’s network wasn’t affected, the spokesperson said.
A General Services Administration spokesperson said two contractors “providing solutions through GSA contracts” were using MOVEit software. The GSA isn’t aware of “any major incidents involving information systems either directly or indirectly managed by GSA,” according to the spokesperson.
A December memo from the White House Office of Management and Budget defines a “major incident” relating to a government cybersecurity breach as one likely to result in demonstrable harm to national security and other US interests, or a breach that involves the exposure of personally identifiable information. The memo said a breach exposing data belonging to 100,000 or more people automatically qualifies as a major incident.
A senior administration official described the MOVEit hack as a troubling incident but not particularly significant for US national security, saying it indicated the ongoing risk of software laden with multiple bugs. Although a major incident may expose tens of thousands of people’s data, such a scenario is less severe than breaches that disrupt services or result in theft in sensitive national security information, the official said.
Adam Hodge, spokesperson for the National Security Council, said the Biden administration requires all new government purchases to use a new security standard for software.
Progress Software Corp., which markets MOVEit software, issued a patch for the flaw, and for two subsequent vulnerabilities that have since been found by cybersecurity researchers.
Clop, also known as Cl0p, is the name of a variant of ransomware, a type of malware used to encrypt a victim’s computer files until a payment is made. It also refers to the hackers that deploy the ransomware, one of several methods they use to extort its victims. They also steal documents from victims and threaten to post them online unless a ransom is paid, as they did with users of MOVEit software.
--With assistance from Anna Edgerton.
(Adds additional details throughout.)