Several U.S. agencies have been hacked as part of a broader cyberattack that has hit dozens of companies and organizations in recent weeks through a previously unknown vulnerability in popular file sharing software.
The Cybersecurity and Infrastructure Security Agency, the country’s top civilian cybersecurity watchdog, said Thursday that it is still investigating the scope of the hacks, said Eric Goldstein, its executive assistant director.
“CISA is providing support to several federal agencies that have experienced intrusions,” he said. “We are working urgently to understand impacts and ensure timely remediation.”
The hackers exploited a vulnerability in a program called MOVEIt, a popular tool for transferring files quickly.
Charles Carmakal, the chief technology officer of Mandiant, a cybersecurity company owned by Google whose clients include government agencies, said he was aware of some data theft from federal agencies through the MOVEIt hacks.
It wasn’t immediately clear whether the stolen files were sensitive or whether the hackers had disrupted government systems. CNN first reported CISA's statement.
It’s the third known time in as many years that foreign hackers have been able to break into multiple federal agencies and steal information. In 2020, hackers working for Russian intelligence broke into nine agencies by first hacking into software they used that was developed by a Texas company called SolarWinds. The next year, Chinese intelligence hackers broke into additional agencies through a remote work program called Pulse Secure.
In an interview with NBC News’ Andrea Mitchell on Thursday, CISA Director Jen Easterly said the agency was tracking the hackers “as a well-known ransomware group.”
That appeared to be a reference to an established cybercriminal group called CL0P.
Last week, CISA and the FBI issued a warning that CL0P was exploiting a previously unknown vulnerability in MOVEIt. In a rapid hacking spree, the group used the flaw to steal files from at least 47 organizations and demand payment not to publish them online, said Brett Callow, an analyst at the cybersecurity company Emsisoft.
CL0P is a primarily Russian-speaking cybercrime gang, said Allan Liska, a ransomware expert at the cybersecurity company Recorded Future.
Speaking to reporters on a call Thursday afternoon, a CISA official said that it appeared that CL0P was able to steal information that organizations had stored specifically with MOVEIt but that the hackers weren’t able to use that as a foothold to break into other systems.
The Energy Department was one of the victims, a spokesperson for the agency said in an emailed statement Thursday.
The CISA official declined to give a specific number of victims. The agency is assisting several agencies whose files were hacked, the official said. CISA is unaware of any military branches’ or intelligence community agencies’ being affected, the official said.
The Office of the Director of National Intelligence declined to comment. The National Security Council didn’t immediately respond to a request for comment.
Wendi Whitmore, who leads threat analysis for the cybersecurity company Palo Alto Networks, said CL0P’s campaign of hacking victims through MOVEIt was incredibly widespread.
“I think it’s at least hundreds, if not more,” of the total victims, she said.
This is a developing story. Please check back for updates.