The FederalNewsNetwork is reporting that several federal agencies have been hit with cyber intrusions by a zero-day vulnerability in a popular file transfer service, and Department of Energy organizations are among the victims.
UPDATE 06/16: The global data breach exposed the personal information of millions of Oregonians who have a DMV-issued identification card. Airlines, banks, universities, foreign governments, and other state-level agencies were also compromised by the attack. Those compromises include a government-managed radioactive waste storage site, and the victim count outside of government agencies was about 50 as of late yesterday. KPTV News reported that the Oregon DMV was made aware of the breach on June 1. The Oregon DOT announced yesterday that personal information of about 3.5 million residents may have been compromised; ODOT was alerted by the Cybersecurity and Infrastructure Security Agency (CISA) that a popular file transfer tool called MOVEit could allow unauthorized access to its user systems. Around a dozen other U.S. agencies have active MOVEit contracts, according to the Federal Data Procurement System. TechCrunch reported that this includes the Department of the Army, the Department of the Air Force, and the Food and Drug Administration.
Multiple sources confirmed that Oak Ridge Associated Universities and Energy’s Waste Isolation Pilot Plant in Carlsbad, New Mexico experienced data breaches caused by the MOVEit vulnerability. It was unknown whether the incident affected any internal Energy Department-run systems, but it had impacted agency data at those locations.
Multiple U.S. agencies have been compromised by attackers who had exploited flaws in popular software tool MOVEit and had collected information from a range of victims. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), a unit of the Department of Homeland Security, confirmed Thursday that several federal agencies were affected but which agencies was not yet clear. CLoP‘s Russian-speaking hackers have managed recent attacks exploiting MOVEit.
The breach compromised the personally identifiable information of potentially tens of thousands of individuals, including DOE employees and contractors, and DOE officials took immediate steps to prevent further exposure. Other agencies will also likely be affected by the breach because MOVEit is a popular transfer software.
“This software is embedded in a lot of systems, and there could be a long tail on this one,” one source said. “There’s probably stuff out there you just don’t know about yet.” The government of Nova Scotia and the University of Rochester were the first victims to be identified in North America while organizations such as Britain’s communications regulator Ofcom, the BBC, British Airways, and Irish carrier Aer Lingus have disclosed data theft.
Minnesota’s Department of Education announced a wide-ranging breach involving the data of hundreds of thousands of students.
TheRecord reported that security company Censys said they examined organizations exposed to the internet who use MOVEit Transfer and found that 31 percent of the hosts running MOVEit are in the financial services industry, 16 percent in healthcare, 9 percent in information technology, and 8 percent in government and military.
Missouri’s Office of Administration, Information Services and Technology Division (OA-ITSD) said on Tuesday it is investigating what was taken by hackers during a cyberattack on the MOVEit system they use to transfer files and information between agencies. State agencies in Illinois also said they are investigating.