Clop ransomware: What to know about a cybersecurity attack hitting schools, businesses and government agencies

CNN
June 17, 2023
492 views

CNN —

A growing number of businesses, universities and government agencies have been targeted in a global cyberattack by Russian cybercriminals and are now working to understand how much data was compromised.

While the scope of the attack is not yet fully known, officials at the US Cybersecurity and Infrastructure Security Agency (CISA) said Thursday that “several federal agencies… have experienced intrusions” and suggested a number of businesses could be impacted as well.

Separately, state agencies said late Thursday that millions of people in Louisiana and Oregon had their data compromised in a security breach. The states did not blame anyone in particular for the hack but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang that calls itself Clop.

“Nobody knows the full extent of this, and that’s the way these cyber compromises work,” Robert Cattanach, a partner specializing in cybersecurity at the law firm Dorsey & Whitney and a former trial lawyer for the Department of Justice, told CNN Friday. “Once you’re compromised, there begins an arduous process of ‘how far in did they get in?’ and ‘what did they take?’ That’s typically weeks, and sometimes months.”

Here’s what we know so far.

Who has been impacted?

The cyberattack has targeted federal and state agencies.

The Department of Energy said it “took immediate steps” to mitigate the impact of the hack after learning that records from two department “entities” had been compromised. No other federal agencies have confirmed being impacted.

It’s also impacted state governments in Minnesota and Illinois. And on Thursday, state agencies said 3.5 million Oregonians with driver’s licenses or state ID cards had been impacted by a breach as well as anyone with that documentation in Louisiana.

The sprawling attack is hitting private companies, too.

Clop previously claimed credit for a hack that compromised employee data at the BBC and British Airways. The companies have confirmed suffering a cybersecurity incident, which came via a breach of a human resources firm used by both.

According to Brett Callow, threat analyst at cybersecurity firm Emsisoft, the hackers have also listed Aon and The Boston Globe as victims. “By my count, there are now 63 known/confirmed victims plus an unspecified number of USG agencies,” Callow tweeted. (Aon told CNN that it’s investigating an incident impacting its clients. Representatives for The Boston Globe did not immediately respond to a request for comment.)

The Cybersecurity and Infrastructure Security Agency (CISA) Headquarters in Arlington, VA. Sydney Phoenix/US Department of Homeland Security

The hacking campaign has also spread to academia. Johns Hopkins University in Baltimore and the university’s renowned health system said in a statement that “sensitive personal and financial information,” including health billing records may have been stolen in the hack.

Meanwhile, Georgia’s state-wide university system – which spans the 40,000-student University of Georgia along with over a dozen other state colleges and universities – confirmed it was investigating the “scope and severity” of the hack.

What do we know about the group behind cybersecurity attack?

Clop is a Russian ransomware gang known for demanding multimillion dollar payments from victims before publishing data it claims to have hacked.

Clop previously said it has “information on hundreds of companies,” according to a dark web posting seen by CNN, and asked for victims to contact them about paying a ransom. It later began listing more alleged victims from the hack on their extortion site on the dark web.

Some cybersecurity experts have suggested to CNN that the ransomware group’s decision to ask victims to contact it rather than the other way around shows the gang is “overwhelmed” with the sheer number of companies and organizations impacted by its latest cyberattack.

As of Thursday, instead of listing federal agencies on the dark web list, the hackers wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

What happened?

The hackers exploited a vulnerability in MOVEit, a software widely used by companies and agencies to transfer data.

Progress Software, the US firm that makes the software, told CNN on Thursday that a new vulnerability in the software had been discovered “that could be exploited by a bad actor.”

Progress has been warning customers for weeks about security flaws discovered in the software. It released a security advisory in early June that said a vulnerability could let hackers obtain unauthorized access to systems.

What can I do about it?

As always, experts say, consumers should maintain the usual cybersecurity precautions: choosing strong passwords, enabling two-factor authentication and keeping an eye on credit scores, account activity and possible phishing efforts.

But much of the responsibility now lies on businesses and federal agencies rather than individuals, according to Cattanach.

“[The hackers] really aren’t in the business of trying to monetize data on individuals,” he said. “Their focus is two things: holding up for ransom, or extortion, the entities that they’ve been able to compromise, and then just frankly casting doubt in the federal government as to the security of its many federal systems.”

CISA ordered all federal civilian agencies to update the MOVEit software in light of the hack last week. Progress, meanwhile, has released two software patches to remedy the issue and published remediation steps for impacted entities.

However, MOVEit’s vulnerability makes it a target for other bad actors looking to wreak havoc — and experts say other groups may now have access to software code needed to conduct attacks.

Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, told CNN last week: “Unfortunately, the sensitive nature of the data often stored on MOVEit servers means there will likely be real consequences stemming from the [data theft] but it will be months before we understand the full fallout from this attack.”

Source: CNN