Cyber Incident Victim: East West Bank
Date:
May 2023
Location:
United States of America
Summary
A Russia-linked ransomware group exploited a vulnerability in MOVEit Transfer software to compromise multiple organizations, including East West Bank, alongside federal agencies and other entities. The Clop gang claimed responsibility for the breach, which exposed personally identifiable information of employees and contractors, though it asserted government data was erased. Progress Software, the tool's developer, addressed a subsequent vulnerability that risked unauthorized access to customer environments. The incident impacted tens of thousands of individuals across affected organizations, with federal agencies collaborating on mitigation efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2023, the Russia-linked Clop ransomware gang exploited a critical vulnerability in Progress Software’s MOVEit Transfer file transfer tool, compromising multiple U.S. federal agencies and private organizations. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed intrusions affecting "several" federal agencies, including two Department of Energy entities identified as Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, which exposed personally identifiable information of employees and contractors. Clop began listing victim organizations on its dark web leak site starting June 1, initially naming U.S. financial institutions 1st Source and First National Bankers Bank alongside Shell’s U.K. operations. On June 16, the group added a second batch of victims including East West Bank, a California-based financial institution, alongside the Boston Globe, biotechnology firm Enzo Biochem, and Microsoft-owned Nuance. CISA Director Jen Easterly characterized the attacks as opportunistic, noting no evidence of data exfiltration targeting high-value information or persistent access within government systems, though the full scope of compromised data remained unconfirmed.
Progress Software disclosed a new MOVEit vulnerability (CVE-2023-35708) during the incident response, warning it could enable unauthorized access to customer environments, and released patches to mitigate the flaw. The Department of Energy implemented immediate containment measures upon discovering the breach, notifying CISA, Congress, and law enforcement while collaborating on impact mitigation. Clop claimed to have erased government data and refrained from listing federal agencies as victims, though this contradicted CISA’s confirmation of agency compromises. East West Bank did not publicly acknowledge the incident or respond to media inquiries, leaving the extent of its data exposure unresolved. Federal procurement records indicated approximately a dozen additional agencies with active MOVEit contracts, including the Department of the Army and Food and Drug Administration, though their breach status remained unconfirmed. The incident highlighted widespread exploitation of the zero-day vulnerability across both public and private sectors, with remediation efforts ongoing as of late June 2023.