The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a number of US government agencies have been targeted by cyberattacks. They reportedly are just part of a global hacker attack that has reportedly targeted an issue in the MOVEit software program.
CNN reports that Eric Goldstein, the agency’s executive assistant director for cybersecurity, said that it "is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications." He added, "We are working urgently to understand impacts and ensure timely remediation."
So far there's no official comment from the CISA on which government agencies were affected by this cyberattack. There's also no word from them on if any sensitive files have been taken as a result of the attack. NBC News interviewed CISA Director Jen Easterly, who stated only that the hackers that might be responsible for these attacks were "a well-known ransomware group.”
Many experts believe the attacks are coming from CL0P, which is mostly based in Russia. The FBI and the CISA issued an alert about this group last week, stating it had discovered a flaw in MOVEIt and used it to attack systems with that software.
That same group has claimed responsibility for attacking a number of governments and businesses with this exploit. CNN says they include the BBC, British Airways, Shell, and the governments in the states of Minnesota and Illinois.
The ransomware group had given victims until Wednesday to contact them about paying a ransom, after which they began listing more alleged victims from the hack on their extortion site on the dark web. As of Thursday morning, the dark website did not list any US federal agencies. Instead, the hackers wrote in all caps, “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information.”
MOVEit's parent company Progress has posted an alert about the exploit which strongly suggests companies that use it "disable all HTTP and HTTPS traffic to your MOVEit Transfer environment." It also released a patch on June 9 to close the exploit.