(CORRECTION: This story originally reported that a cleanup contractor for Oak Ridge National Laboratory experienced a data breach associated with MOVEit software. It was actually the Energy Department’s Waste Isolation Pilot Plant.)
Several federal agencies have been hit with cyber intrusions due to a zero-day vulnerability in a popular file transfer service, with Energy Department organizations counted among the victims of the global cyberattack.
Multiple sources confirmed to Federal News Network that Oak Ridge Associated Universities and Energy’s Waste Isolation Pilot Plant near Carlsbad, New Mexico, experienced data breaches due to the MOVEit vulnerability. The incident did not affect any internal Energy Department-run systems, but it did impact agency data at those locations.
Sources said Energy is treating it as a “major incident.”
The breach impacted the personally identifiable information of potentially tens of thousands of individuals, including Energy employees and contractors, according to sources.
“The U.S. Department of Energy (DOE) takes cybersecurity and the responsibility to protect its data very seriously,” an Energy spokesman told Federal News Network. “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency (CISA). The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.”
Sources said they expected many other agencies would also be affected by the breach due to the widespread use of the MOVEit Transfer software.
“This software is embedded in a lot of systems, and there could be a long tail on this one,” one source said. “There’s probably stuff out there you just don’t know about yet.”
In a statement, CISA Executive Assistant Director for Cybersecurity Eric Goldstein confirmed multiple agencies have been impacted by the MOVEit breach so far.
“CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” Goldstein said. “We are working urgently to understand impacts and ensure timely remediation.”
CISA did not detail which specific agencies have been breached and whether the attackers are the Russia-linked ransomware gang that has claimed credit for the campaign targeting MoveIT applications. CNN first reported Goldstein’s comment.
On Friday, the Department of Veterans Affairs said it was able to quickly patch its MOVEit instances and had not experienced any impacts to VA or veterans’ data.
“Protection of Veteran data is paramount at VA. While we had three systems that were running software susceptible to the MOVEit vulnerability, these systems were immediately remediated and there was no impact to VA or veteran data,” a VA spokeswoman told Federal News Network. “Our system has network blocks in place at their perimeters to prevent port connections, secure protocols, and safeguard inbound data, and we have installed the latest patches to the systems that used the MOVEit Transfer software. We have also worked diligently with security technology vendors to develop more robust detection capabilities for the vulnerability.”
During a call with reporters Thursday, CISA Director Jen Easterly said the agency was not tracking “significant impacts” to the civilian .gov enterprise
“Based on discussions we’ve had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access to gain persistence into targeted systems to steal specific, high value information,” Easterly said. “As we understand it, this attack is largely an opportunistic one.”
She added that while CISA is “very concerned” about the MOVEit intrusions, it’s not considered as serious as the 2020 SolarWinds campaign.
CISA officials declined to offer details on which agencies had suffered intrusions or exactly how many, only saying it was a “small number.” A senior CISA official did clarify that, “we are not aware of any impacts to military branches or the [intelligence community] at this time.”
And the official also said CISA isn’t aware of any agencies that are still running unmitigated instances of the MOVEit software.
“We have worked urgently to identify federal organizations that are running vulnerable versions of the movement application and have driven mitigation in in all such cases, and so certainly there are organizations who are using this application at this point,” the official said. “Many of those organizations have already patched before intrusion activity could occur.”
An aide to the Senate Homeland Security and Governmental Affairs Committee said Chairman Gary Peters (D-Mich.) is aware of the situation and is seeking more information from CISA regarding the impact of the intrusions.
“These incidents are another example of why Chairman Peters is pressing to modernize our federal government’s cybersecurity so that federal agencies can prevent, respond to and recover from network breaches,” the aide said.
In a joint statement, House Homeland Security Chairman Mark Green (R-Tenn.) and cybersecurity and infrastructure protection subcommittee Chairman Andrew Garbarino (R-N.Y) said the MOVEit vulnerability is “the latest reminder to public and private entities of all sizes that we cannot afford to let our guard down when it comes to our cyber defenses.” They said the committee had been in contact with CISA.
“We are pleased with the timeliness of CISA’s response to yet another significant cyber incident impacting a wide range of potential victims who use this popular software,” they said. “The Committee will continue to stay in close communication with CISA as we work to gather more information, including who is responsible and the full extent of the data impacted. This incident is another reminder of the importance of CISA’s commitment to its cybersecurity mission and the need to be appropriately equipped to carry out that mission.”
MOVEit is a popular file transfer service owned by Progress Software. Beginning on May 27, a ransomware gang known as “CL0P” allegedly began exploiting a previously unknown vulnerability in MOVEit applications to steal data from organizations.
Progress Software released a security advisory on June 1 detailing the vulnerability, along with mitigation steps and updates for the software. CISA subsequently added the bug to the Known Exploited Vulnerabilities Catalog on June 2, requiring agencies to apply patches by June 23 at the latest.
In a June 7 advisory, CISA and the FBI detailed the ransomware gang’s tactics, as well as any potential indicators of compromise from the MOVEit vulnerability.
Due to the “speed and ease” at which the group exploited the vulnerability, as well as their past campaigns, CISA and the FBI said they “expect to see widespread exploitation of unpatched software services in both private and public network.”
Cybersecurity firm Censys reports that earlier this month, it discovered more than 3,000 hosts over the open internet running instances of MOVEit Transfer.
Censys says 31% were in the financial services industry, 16% in healthcare, 9% in information technology, and 8% in government and military. And more than 60 of the hosts were U.S. federal and state government organizations.
Emily Austin, security research manager and senior researcher at Censys, said MOVEit is in many ways “the perfect target” for many threat groups.
“Large customers, large amounts of data being transferred in these highly regulated industries, and on top of that, a lot of them do have exposed web interfaces,” Austin said. “So you have this sort of trifecta of lots of data from highly regulated industries, with access on the web, and of course, what threat actor wouldn’t go after that if you’re financially motivated.”
(Federal News Network’s Jason Miller contributed reporting to this story)