Cyber Incident Victim: Ciena
Date:
May 2023
Location:
United States of America
Summary
The telecommunications firm Ciena was impacted by a cyberattack exploiting a vulnerability in the MOVEit file transfer tool. The company confirmed its instance was exposed and that a limited amount of data may have been impacted. The Clop cybercriminal group claimed responsibility for the incident and listed the organization on its dark web site. An investigation determined that no other systems in the network environment were affected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Ciena, a telecommunications networking equipment and software services vendor, confirmed on May 31, 2023, that its instance of the MOVEit Secure File Transfer application was exposed to a vulnerability. This confirmation came after the company's name appeared on the dark web site operated by the cybercriminal group Clop. Clop, a Russian-speaking gang, had been claiming Ciena as a victim of its widespread attack campaign exploiting the MOVEit file transfer tool. The group was demanding extortion payments from alleged breach victims in exchange for not publicly posting stolen data on its site. Ciena issued a statement in response to this claim, acknowledging the exposure of its MOVEit instance.
The company stated that through verification by an independent security partner, it had determined that a limited amount of data may have been impacted by the incident. Ciena did not specify the type of data that was likely impacted in the attacks. The investigation into the full scope of the impact was active at the time of the statement. The company believed that no other systems within its broader network environment were affected by this incident, indicating the attack was contained to the MOVEit application. Ciena emphasized that it takes data privacy and security very seriously and, upon learning of the incident, began and continued to communicate with impacted parties.
The vulnerability exploited in this attack was tracked as CVE-2023-34362. Progress Software, the developer of MOVEit, reported this vulnerability on May 31. The flaw could enable escalation of administrative privileges and unauthorized access to the MOVEit Transfer and MOVEit Cloud tools. This specific vulnerability was pinpointed as the source of Clop’s widespread attack campaign, which ultimately impacted more than 200 known organizations. The attacks leveraged managed file transfer tools, which are appealing targets for data thieves because they enable the ingestion and movement of large volumes of data between points.
Ciena’s incident was part of a larger pattern where numerous organizations appeared on Clop's dark web site. However, not every company listed by the group confirmed being a victim. For instance, Iron Bow Technologies, an IT solution provider also named by Clop, conducted a detailed forensic investigation and confirmed its endpoint detection mechanisms had intercepted and halted an attempted exploit of its MOVEit application. Iron Bow stated that no data was exfiltrated from its systems, disputing the cybercriminal group's claims. Ciena, in contrast, confirmed that its instance was exposed and that some data may have been impacted.
The company's response involved an immediate investigation to understand the scope of the data impact. This investigation was ongoing at the time of their public statement. The primary response action confirmed was communication with any potentially impacted parties, consistent with their commitment to data privacy and security. The involvement of an independent security partner was a key part of their process to verify the exposure and assess the potential data impact. The incident highlighted the risks associated with managed file transfer systems and the focus of cybercriminal groups on data theft and extortion campaigns.