Federal Agency Confirms It Was Hit in Massive Cyberattack

Federal Agency Confirms It Was Hit in Massive Cyberattack
The Department of Health and Human Services building in Washington on Aug. 14, 2018. Samira Bouaou/The Epoch Times
Jack Phillips
Updated:
0:00

The Department of Health and Human Services (HHS) said that hackers have targeted it as part of a global cyberattack that exploited a software flaw.

In a statement to news outlets Thursday, the agency said that “no HHS systems or networks were compromised,” adding that “attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third party vendors.”

“HHS is taking all appropriate actions … and will provide Congress with additional information as the investigation continues,” the agency, which oversees a range of programs, told The Hill and Reuters in a statement.

Earlier this month, it was confirmed that a multitude of federal agencies were impacted in a wide-ranging breach. The Department of Energy was reportedly affected in the attack and was asked to pay a ransom.

Hackers behind the massive breach also claimed credit for stealing data from two major law firms, Kirkland & Ellis LLP and K&L Gates LLP. The ransomware gang known as Cl0p posted the names of Kirkland & Ellis LLP and K&L Gates LLP to its leak site, typically a sign that negotiations between the victims and the hackers had broken down.

HHS’s name did not appear among Cl0p’s list of purported victims. The group has previously insisted it doesn’t deliberately steal data from government organizations, but that doesn’t mean that data haven’t been compromised.

Believed by researchers to be a Russian-speaking group of hackers, Cl0p was recently able to gain access to a wide swathe of organizations’ data by compromising MOVEit Transfer, a file commercial management tool made by Progress Software.

Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA), which is run by the Department of Homeland Security, confirmed federal agencies were targeted.

“As far as we know these actors are only stealing information that is specifically being stored on the file-transfer application at the precise time that the intrusion occurred,” Jen Easterly, director of CISA, told reporters on June 15. She added that the hack isn’t being used to get broader access to the systems, without elaborating.

At the time, neither CISA nor Easterly elaborated on what agencies were hacked, and she said that CISA isn’t aware of any ransomware shakedown attempts. However, the Department of Energy at the time said that two of its entities were compromised using the MOVEit vulnerability.

“CISA is providing support to several federal agencies that have experienced intrusions,” CISA spokesman Eric Goldstein told NBC News. “We are working urgently to understand impacts and ensure timely remediation.”

The Department of Energy told CNN via a spokesperson that the agency “took immediate steps” to mitigate the impact of the breach after learning of the incident. “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach,” the spokesperson said in a statement on June 15.

About a week before CISA’s announcement, the cybersecurity agency released a statement that had warned about the ransomware gang targeting the MOVEit vulnerability. It said that the FBI is involved in an investigation seeking information “from foreign IP addresses, a sample ransom note, communications with CL0P group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.”

“FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents,” the statement said.

Warnings

Meanwhile, researchers have said that Cl0p has a history of targeting file-transfer tools to gain access to systems.

Speaking ahead of the latest claims, Jon Clay, the vice president for threat intelligence at cybersecurity firm TrendMicro, described Cl0p as a resourceful group with little incentive to stop its shakedown spree.

“They aren’t going away,” he said. “Unless the heat gets on them very bad.”

The group has been blamed for a range of ransomware attacks that lock users out of their systems in exchange for large sums of cash. “The activity we’re seeing at the moment, adding company names to their leak site, is a tactic to scare victims, both listed and unlisted, into paying,” Rafe Pilling, the head of threat research at Secureworks, told CNN earlier this month.

And Wendi Whitmore, with cybersecurity firm Palo Alto Networks, said Cl0p’s campaign of hacking victims via MOVEit was widespread and suggested there were more victims involved.

“I think it’s at least hundreds, if not more,"  she said.

Reuters contributed to this report.
Jack Phillips
Jack Phillips
Breaking News Reporter
Jack Phillips is a breaking news reporter who covers a range of topics, including politics, U.S., and health news. A father of two, Jack grew up in California's Central Valley. Follow him on X: https://twitter.com/jackphillips5
twitter
Related Topics