The Department of Health and Human Services (HHS) said that hackers have targeted it as part of a global cyberattack that exploited a software flaw.
In a statement to news outlets Thursday, the agency said that “no HHS systems or networks were compromised,” adding that “attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third party vendors.”
“HHS is taking all appropriate actions … and will provide Congress with additional information as the investigation continues,” the agency, which oversees a range of programs, told The Hill and Reuters in a statement.
Earlier this month, it was confirmed that a multitude of federal agencies were impacted in a wide-ranging breach. The Department of Energy was reportedly affected in the attack and was asked to pay a ransom.
Hackers behind the massive breach also claimed credit for stealing data from two major law firms, Kirkland & Ellis LLP and K&L Gates LLP. The ransomware gang known as Cl0p posted the names of Kirkland & Ellis LLP and K&L Gates LLP to its leak site, typically a sign that negotiations between the victims and the hackers had broken down.
HHS’s name did not appear among Cl0p’s list of purported victims. The group has previously insisted it doesn’t deliberately steal data from government organizations, but that doesn’t mean that data haven’t been compromised.
Believed by researchers to be a Russian-speaking group of hackers, Cl0p was recently able to gain access to a wide swathe of organizations’ data by compromising MOVEit Transfer, a file commercial management tool made by Progress Software.
Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA), which is run by the Department of Homeland Security, confirmed federal agencies were targeted.
At the time, neither CISA nor Easterly elaborated on what agencies were hacked, and she said that CISA isn’t aware of any ransomware shakedown attempts. However, the Department of Energy at the time said that two of its entities were compromised using the MOVEit vulnerability.
“CISA is providing support to several federal agencies that have experienced intrusions,” CISA spokesman Eric Goldstein told NBC News. “We are working urgently to understand impacts and ensure timely remediation.”
About a week before CISA’s announcement, the cybersecurity agency released a statement that had warned about the ransomware gang targeting the MOVEit vulnerability. It said that the FBI is involved in an investigation seeking information “from foreign IP addresses, a sample ransom note, communications with CL0P group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”
Warnings
Meanwhile, researchers have said that Cl0p has a history of targeting file-transfer tools to gain access to systems.Speaking ahead of the latest claims, Jon Clay, the vice president for threat intelligence at cybersecurity firm TrendMicro, described Cl0p as a resourceful group with little incentive to stop its shakedown spree.
“They aren’t going away,” he said. “Unless the heat gets on them very bad.”
The group has been blamed for a range of ransomware attacks that lock users out of their systems in exchange for large sums of cash. “The activity we’re seeing at the moment, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” Rafe Pilling, the head of threat research at Secureworks, told CNN earlier this month.
And Wendi Whitmore, with cybersecurity firm Palo Alto Networks, said Cl0p’s campaign of hacking victims via MOVEit was widespread and suggested there were more victims involved.
“I think it’s at least hundreds, if not more," she said.