Cyber Incident Victim: U.S. Department of Energy

On or around May 28, 2023, the Russia-based Clop ransomware gang began exploiting a vulnerability in the widely used MOVEit file transfer tool, a product of Progress Software. This widespread cyberattack compromised dozens of entities globally, including several U.S. federal agencies. Top U.S. cybersecurity officials from the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on June 15, 2023, that a number of federal agencies had been impacted. CISA Director Jen Easterly stated that her agency and the FBI were working to provide assistance to federal agencies that had used the vulnerable MOVEit application. The campaign was characterized as largely opportunistic, with the threat actors stealing information that was specifically being stored on the file transfer application at the precise time the intrusion occurred. Officials emphasized that the vulnerabilities were not being used to gain broader access to federal systems or to steal specific, high-value information, and that this incident did not present a systemic risk to national security akin to the SolarWinds campaign of 2020.

The Department of Energy (DOE) confirmed it was impacted by this data breach. The department stated that upon learning records from two of its entities were compromised in the global cyberattack, it took immediate steps to prevent further exposure to the vulnerability and notified CISA. The DOE also notified Congress and began working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach. Sources identified the two affected DOE entities as Oak Ridge Associated Universities and the Waste Isolation Pilot Plant (WIPP) in Carlsbad, New Mexico. The Waste Isolation Pilot Plant is the nation's only repository for the disposal of nuclear waste generated by atomic energy defense activities, indicating the sensitive nature of some of the data that was accessed.

CISA and FBI officials declined to name all the agencies affected by the breach or to specify an exact number, only characterizing it as a "small number." A State Department spokesperson acknowledged reports but had no comment, while the Department of the Interior confirmed it was not affected. The Office of the Secretary of Defense declined to discuss the status of its networks as a matter of policy. A senior CISA official provided additional context, noting that the Clop ransomware gang had been known to them for years due to previous exploitation of vulnerabilities in other file transfer services like Accellion and Fortra’s GoAnywhere. The official stated there was no evidence of coordination between the Clop group and the Russian government.

In response to the incident, CISA published an advisory and ordered all federal agencies to remediate the vulnerability by June 23. The agency worked urgently to understand the impact and ensure timely remediation across the federal enterprise. CISA's assessment was that the majority of intrusion activity occurred in the days shortly after Progress Software's initial disclosure of the vulnerability, which prompted CISA to move quickly to drive national mitigation efforts and provide targeted notifications to vulnerable organizations. As of June 15, no federal agencies had received extortion demands, and no federal data had been leaked by the threat actors. The Clop group itself claimed on its leak site to have deleted all government-connected information.

The impact of the MOVEit vulnerability extended far beyond the federal government, with the CISA official estimating there were likely hundreds of victims across the United States. State government agencies in Illinois, Missouri, and Minnesota all reported they were investigating potential data breaches related to MOVEit. The breach also significantly impacted the education and healthcare sectors. The University of Georgia and Johns Hopkins University confirmed they were affected. Johns Hopkins reported that some information from employees, students, and patients was accessed, though electronic health records were not compromised. The University of Georgia stated it was evaluating the scope and severity of the potential data exposure. BORN Ontario, a provincial perinatal, newborn and child registry, was also affected and released an advisory to notify patients.

Internationally, numerous organizations in the United Kingdom were compromised, including the BBC, airlines British Airways and Aer Lingus, pharmaceuticals retailer Boots, and the country’s communications regulator Ofcom. The oil giant Shell also confirmed it was impacted by the breach. The governments of Nova Scotia, Canada, and the University of Rochester were among the first victims identified in North America. Progress Software announced a second vulnerability in the MOVEit software shortly after the initial disclosure, and on the evening of June 15, it announced the discovery of a third vulnerability, indicating the ongoing and evolving nature of the threat associated with the software. The incident response involved coordinated efforts between software vendors, federal cybersecurity agencies, law enforcement, and affected organizations to contain the breaches and mitigate their impacts.