Brazen Cyber Attacks on U.S. Agencies Create a Pointed Response

June 28, 2023
Russian hackers wreak havoc on U.S. and global organizations with aggressive ransomware threats during the month of June

To say that June has been a bad month for the global cybersecurity community wouldn’t begin to account for the chaos and damage done by a group of Russian hackers known as Clop, in what U.S. cyber agency officials are calling an unprecedented hacking spree.

Clop began exploiting a zero-day vulnerability in the MOVEit Transfer system on May 27. Although it claimed to breach multiple companies’ servers with this vulnerability, it did not immediately extort the victims, sticking with several localized attacks against smaller organizations.

The group quickly upped the ante when it compromised employee data within the BBC and British Airways the first week in June, while also attacking several U.S. federal and government agencies. However, that same week Clop also claimed to have deleted data related to governments and the military without providing a motive.The FBI and CISA released a joint Cybersecurity Advisory (CSA) on June 7 providing the known Clop ransomware group tactics, techniques, and procedures as of June 2023, information concerning the MOVEit vulnerability, a list of the known indicators of compromise (IOCs), and recommended mitigation steps for affected parties. Less than a week later Clop began publishing its list of ransomware victims, which now total close to 70 government agencies, business organizations, critical infrastructure and financial services and banking institutions across the globe.

Clops rapid-fire extortion threats only added to the urgency tech firms, corporations and government agencies from the U.S. to Canada and the UK have been forced to address. As of June 19, according to Progressive Software, the makers of MOVEit, the vulnerability has been fixed in MOVEit Transfer versions 2021.0.8 (13.0.8), 2021.1.6 (13.1.6), 2022.0.6 (14.0.6), 2022.1.7 (14.1.7), and 2023.0.3 (15.0.3). Public disclosure of the flaw happened before Progress came up with a fix.

"It’s clear that the cop ransomware group has a pattern of targeting file transfer solutions including Acellion’s File Transfer Appliance, Fortra’s GoAnywhere and Progress Software’s MOVEit Transfer,” says Satnam Narang, Senior Staff Research Engineer at Tenable.

File transfer solutions are designed to help make sensitive file sharing easier and ensure compliance. These are not the only solutions out there, so we anticipate that Clop will continue to seek out zero-day vulnerabilities in other file transfer solutions. It would behoove those organizations that produce such products to conduct security audits of their software to identify vulnerabilities before attackers do. Just as we plan for natural disasters, organizations should have a ransomware preparedness plan in place so they can adequately respond to ransomware attacks."

Full-Blown Cyber War?

While putting this report together, SecurityInfoWatcheditors questioned if the Clop ransomware attacks and the bold Russian cyber declaration were the start of something much bigger. Many of the cyber experts SIWspoke to were not so sure.

“There’s no immediate indication pointing to a cyber war. All Western nations have been subject to hybrid warfare -- extending to cyber warfare -- in recent years and other countries have also been victims of the MOVEit breach,” says Tyler Sullivan, a Senior Security Consultant with NetSPI.

For example, he notes, BBC and others in the UK have disclosed breaches. While activity has increased over the last 18 months, it doesn’t indicate a precursor to a full-blown cyber war. These attacks occurred long before the invasion and will likely occur long after,” he concludes. 

Sullivan adds that activity from Russian-speaking threat actors has been a constant for years, even before the Ukraine invasion. FIN7, the crew allegedly responsible for the MOVEit attacks has been a part of a long and extensive history of Russian-speaking threat actors in cyberspace. Furthermore, Sullivan points out cyber gangs have rarely discriminated against their targets, and he figures they will likely go for anyone they find vulnerable to their exploits.

“That said, there has been a trend of increased attacks against those supporting Ukraine. While it can’t be said for sure that there is a direct correlation, the MOVEit attacks could be part of that trend,” he says."

Eric Foster is a 25-year cybersecurity professional and is currently the Vice of Business Development for Stairwell. He says it is important to understand the Russian government isn’t directly doing the attack but a criminal group with Russian links (e.g. a criminal enterprise operating in Russia).

“It’s an important distinction,” Foster says. “This isn’t an escalation of cyberwar between Russia and the U.S. It’s yet another attack from cyber criminals, many of which happen to operate out of eastern Europe.

Foster also doesn’t see a correlation between these attacks on U.S. entities and aid going to Ukraine. Clop, also known as 'Lace Tempest,’ is a criminal enterprise that has done this exact type of attack several times before and will do this until they are brought to justice, he says.

The threat actor has used similar vulnerabilities in the past to steal data and extort victims most notably the Accellion File Transfer Appliance vulnerability.”

While Foster believes government agency cyberattacks are here to stay, Brian Fox, a software developer, innovator and entrepreneur and current CTO and co-founder of Sonatype, doesn’t feel U.S. federal agencies were purposely targeted.  
“Cyberattacks have been increasing for years. government bodies are always targets and we should absolutely expect that to continue,” Fox predicts. “. We saw that Clop will allegedly be deleting any data from the U.S. government, so it seems the federal agencies impacted were not the target. I think it’s also reasonable to conclude that the U.S. government’s strategy to ‘dismantle’ threat actors is working here,” concludes Fox.

Erich Kron, a security awareness advocate at KnowBe4, shares the mindset of his colleagues that direct attacks on U.S. government entities are not a smart strategy.

“If this was one of the Clopaffiliates, it is a very brazen move as it is likely to draw some serious attention from the federal government. Many cyber gangs, even those backed by nation-state players, try to avoid the focused attention of the U.S. government and its allies. Some significant cybercrime groups have fallen after they have become a focused target of the government, and this sort of attack is likely to put them straight in the crosshairs of the response teams., Kron says.

How Worrisome is This Attack? 

In judging the scope of the Clop campaign, along with the current view of the geopolitical landscape and the alleged nationality of the major affiliation behind the campaign, this operation signals a major escalation in the hostilities of ongoing cyber warfare, says Colin Little, a Security Engineer at Centripetal.

“What's worse, I believe this campaign has the strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare, but the geopolitical landscape as well," he adds. “Unlike other industry verticals, the U.S. federal government and other governments worldwide that have been breached may be permitted to deploy more offensive cyber resources than, say, a university or a hospital.”

The timeline for these attacks has been calculating and relentless. As reported by risk management and resilience consulting firm Flashpoint based in Washington, D.C., the hackers quickly identified weaknesses in the MOVEit software and went in for the kill.

On May 31, Progress Software publicly disclosed the vulnerability and released an initial patch, as well as recommended remediation steps. However, more vulnerabilities affecting MOVEit have been recently discovered.

On June 5, Zellis UK, a payroll and HR solutions provider, confirmed that it had been compromised by the vulnerability. The attack on Zellis directly led to the compromise of several other organizations within its supply chain.

A day later, Clop officially claimed credit for exploiting the MOVEit vulnerability. Clop also claimed to have deleted any data related to governments, military and children’s hospitals. However, several U.S. federal agencies and government contractors are known to have been affected by the recent Clop ransomware attack.

The following day, on June 7, the FBI and CISA released a joint Cybersecurity Advisory (CSA) providing the known Clopransomware group tactics, techniques, and procedures as of June 2023, information concerning the MOVEit vulnerability, a list of the known indicators of compromise (IOCs), and recommended mitigation steps for affected parties.

Less than a week later, Clop began to publish its list of victims.

Avishai Avivi, the CISO of SafeBreach, explains that the Clop Ransomware group has leveraged yet another vulnerability in a Managed File Transfer (MFT) system. The SQL Injection vulnerability in MOVEIt is different than the one Clop found in GoAnywhere (unsecured administrative interface), but both involve an unauthenticated user being able to leverage the vulnerability and gain privileged access to data stored on the servers.

“This is a playbook that works well for Clop once they verified the vulnerability, they immediately started looking for additional systems to attack. It’s important to note that Clop doesn’t seem to care about the type of victim, as long as they can successfully breach them. They’ve attacked health organizations, financial organizations, utility companies, universities and even government agencies,” Avivi says.

He adds that while the customers who used MOVEIt and were breached by Clop are certainly the victims of a cyberattack, they do bear some of the responsibility. “It’s wrong to assume that just because a piece of software claims to be ‘secure’ that it is in fact secure. Customers must always validate that the software they use is secure and configured in a way that can protect against cyberattacks.”

For example, he says, MFT servers should only hang on to files for the minimal duration needed to transfer the files from one location to another. From the little information that’s currently available, it appears that Clop exfiltrated large amounts of data that was available on the servers themselves.” ,” Avivi says.

Federal Agencies, DOJ Respond

The U.S. government has moved swiftly to help mitigate this broad-based attack that has left many state and federal agencies that use the MOVEit software vulnerable, but officials remain unclear just how many have been compromised.

The FBI and CISA released recommendations on how organizations should deal with the Clop hack. Progress Software has also been proactive in telling victims to update their software packages and has issued security advice.

In fact, last week the Justice Department announced the creation of a new National Security Cyber Section within its existing National Security Division. With approval from Congress, NatSec Cyber was on the heels of Deputy Attorney General Lisa O. Monaco’s Comprehensive Cyber Review conducted in July 2022.

"NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena,” said Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division in an agency press release.

“This new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”

The National Security Cyber Section will increase the Justice Department’s capacity to disrupt and respond to malicious cyber activity while promoting intragovernmental partnerships in tackling increasingly sophisticated and aggressive cyber threats by hostile nation-state adversaries.

NatSec Cyber will bolster collaboration between key partners, including the Criminal Division’s Computer Crimes and Intellectual Property Section (CCIPS) and the FBI’s Cyber Division, and will serve as a valuable resource for prosecutors in the 94 U.S. Attorneys' Offices and 56 FBI Field Offices across the country.

“Responding to highly technical cyber threats often requires significant time and resources,” U.S. Assistant Attorney General Olsen says. “NatSec Cyber will serve as an incubator, able to invest in the time-intensive and complex investigative work for early-stage cases.”

The DOJ made it clear that this new initiative builds upon recent successes in identifying, addressing and eliminating national security cyber threats, including the charging of an alleged cybercriminal with ransomware attacks against U.S. critical infrastructure and disruption of the Russian government’s premier cyberespionage malware tool.

Where Do We Go From Here?

As with every large-scale and well-publicized cyber-attack the obligatory post-mortems begin. So, what are the short-term and long-term remedies for these agencies to address and mitigate the increased threats?In the short term, Foster believes agencies should follow the excellent instructions that Progress Software has provided, which include immediately quarantining any server running a vulnerable version of MOVEit and replacing it with an updated version that doesn’t have the vulnerability. If necessary, agencies should bring in help for incident response or a compromise assessment.
“Longer term, companies must acknowledge that attempts at prevention alone set them up for failure and do a better job with both detection and response of to threats. There are multiple great solutions on the market for enhancing threat detection and response, both via managed service providers such as CyderesMandiant or Binary Defense,” says Foster.

And there are various advanced technology solutions for enhancing detection and response capabilities -- such as solutions that augment defenders’ capabilities with automation, machine learning, or artificial intelligence – or deception technologies that can both fool attackers and alert defenders.”

Foster adds that he believes cybersecurity is always going to be an ongoing battle; and requires a combination of people, processes, and technology that work together to enhance enterprises' abilities to detect and respond to advanced threats.

“Ultimately, it requires constant vigilance,” he stresses.

Kron concludes that having a patching strategy and keeping vulnerable devices updated with the latest security updates is critical, even for those that aren’t directly connected to the Internet.

In addition, groups like Clop love to use social engineering tactics to get the initial network access, so a well-developed employee security awareness program that teaches employees how to spot and report phishing emails and other social engineering attempts quickly and efficiently can have a huge impact on the organization’s security posture,” Kron explains.

"One of the biggest pieces of leverage used by ransomware or extortion groups to get their money is the data they've stolen, ensuring that access to the data is limited only to people that require it and using data loss prevention controls to watch for data moving to unusual places are some important technical controls that should also be in place.”

About the author: Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes magazines Security Technology Executive, Security Business and Locksmith Ledger International and the top-rated webportal SecurityInfoWatch.com. Steve can be reached at [email protected]

About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website SecurityInfoWatch.com. He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]