Two Energy Department entities breached as part of massive MOVEit compromise

Multiple federal agencies, including two Department of Energy entities, were victims of a cyberattack that resulted from a widespread vulnerability in MOVEit file transfer software, federal officials said Thursday.

While it’s unclear who infiltrated the DOE agencies, a ransomware group known as Cl0P has used the flaw in the widely used software to attack hundreds of organizations in recent weeks, including universities, banks and major multinational corporations. The group publicized online that it has victimized “hundreds of companies” and gave a June 14 deadline to negotiate a ransom price before they released stolen data.

So far, CLoP is the only threat group linked to the MOVEit vulnerability by the Cybersecurity and Infrastructure Security Agency and the FBI.

At a media briefing Thursday afternoon, CISA Director Jen Easterly said that “we are not tracking significant impact on civilian .gov enterprise but are continuing to work with our partners on this.” Additionally, she said, no federal agency has received extortion demands and no federal data has been leaked so far.

“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” she said, adding that the attack appears to be largely opportunistic and not “like SolarWinds that presents a systemic risk to our national security or our nation’s network.”

CNN first reported that “several federal agencies” had been victims as a result of the file transfer flaw at the Cybersecurity and Infrastructure Security agencies was urgently working with them to remediate the problem.

A Department of Energy spokesperson told CyberScoop on Thursday afternoon that “upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA).”

DOE considers an entity any facility, office, or laboratory run by DOE or a DOE contractor. The agency is home to the national laboratories such as Sandia and Los Alamos National Labs that conduct nuclear power and weapons research.

The Federal News Network reported that Oak Ridge Associated Universities and a Waste Isolation Pilot Plant located around Carlsbad, New Mexico were the two DOE entities impacted by the vulnerability.

“The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said.

Speaking on background, an official at the briefing said that they are not aware of any federal agency that has not placed mitigations against the vulnerability.

CL0P claimed on its dark website to have “information on hundreds of companies” as part of its attack. The group also said that if the victim organization was “a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”

The group added 27 victim organizations to its leak page since June 14, according to data collected by eCrime.ch, however it’s not clear whether all of those entities were MOVEit users or that they were targeted by CL0P in separate extortion attacks.

Censys, a company that tracks internet-connected devices, said on Tuesday that government and military organizations represent 7.56% of the visible MOVEit hosts, with more than 80% of those being in the U.S.

CISA acknowledged on Thursday that several federal agencies were impacted as a result of the MOVEit compromise.

Eric Goldstein, executive assistant director for cybersecurity at CISA, said in a statement that “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications. We are working urgently to understand impacts and ensure timely remediation.”

CyberScoop asked multiple federal departments and agencies if they were impacted as part of the MOVEit compromise. Only the Department of Energy reported any kind of compromise. Other agency officials responded their departments had taken steps to patch the vulnerability.

A Veterans Affairs official told CyberScoop that the department had “three systems that were running software susceptible to the MOVEit vulnerability. These systems were immediately remediated and there was no impact to VA or Veteran data.

“We have network blocks in place at their perimeters to prevent port connections, secure protocols, and safeguard inbound data, and VA has installed the latest patches to the systems that used the MOVEit Transfer software. We have also worked with security technology vendors to develop more robust detection capabilities for the vulnerability.”