Cyber Incident Victim: The Harrington Company

On or around June 16, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified the US Energy Department as one of multiple federal agencies that experienced an intrusion. These intrusions were part of a wider global campaign affecting hundreds of organizations and were centered on the exploitation of a vulnerability in MOVEit Transfer, a file transfer platform developed by the American software company Progress. The threat actor behind this exploitation was the Cl0p ransomware gang. The group exploited a zero-day vulnerability in the software, reportedly via an SQL injection attack, to gain unauthorized access to systems. Prior to this incident, Cl0p had issued a threat, stating it would release the names of its victims and publish their stolen data if a ransom demand was not met by June 14th.

The list of affected organizations continued to grow throughout June. By June 29th, the US Department of Health and Human Services (HHS) was confirmed to be among those affected. A department official stated that while no HHS systems or networks were directly compromised, attackers gained access to HHS data by exploiting the vulnerability in the MOVEit Transfer software that was operated by third-party vendors. Sources indicated that tens of thousands of records held by HHS could have been exposed as a result of this breach. This made HHS the second US federal agency, after the Energy Department, publicly identified as being impacted by the incident. CISA executive assistant director Eric Goldstein confirmed the agency was providing support to several federal agencies that had experienced intrusions affecting their MOVEit applications. CISA director Jen Easterly characterized the impact on federal agencies as minimal.

The Cl0p gang utilized a dedicated dark web leak site to publicly claim its victims and pressure them into paying ransoms. On June 28th, the group posted the names of two major multinational law firms on this site: Kirkland & Ellis LLP, a client services firm based in New York City, and K&L Gates LLP, a corporate law firm headquartered in Pittsburgh, Pennsylvania. Neither firm publicly confirmed the hack at the time. In the early hours of June 29th, Cl0p added additional organizations to its leak site, including The Harrington Company, a Minnesota business firm, and City National Bank in Miami, Florida. The public listing of these entities on the extortion site indicated that data had been stolen from them and was threatened with publication.

The scope of the MOVEit attacks was vast, impacting a wide range of sectors beyond government and legal services. Other major entities named as victims during this period included Siemens Energy, the University of California Los Angeles (UCLA), and the New York City Department of Education. The breach at the education department was reported to have exposed the names of 45,000 students. In the week prior, the Cl0p gang had also claimed two of the big four accounting firms, PricewaterhouseCoopers (PWC) and Ernst & Young, as well as the technology and entertainment conglomerate Sony. This pattern of attacks was consistent with previous activity from the group, which was also responsible for exploiting a zero-day vulnerability in the Fortra GoAnywhere file management system that compromised at least 130 organizations in the spring of 2023.

In response to the threat posed by the Cl0p gang, the US government announced a $10 million reward on June 19th for any information leading to the identification of its members. This financial incentive was part of a broader effort to apply pressure on the ransomware group. The gang itself made public statements on its leak site, vowing to delete any stolen government data and claiming its primary interest was in holding private businesses accountable for their security deficiencies. Despite this claim, the attacks continued to affect numerous public sector entities. Industry observers, such as Trend Micro vice president Jon Clay, noted the persistent nature of the group, stating "They aren't going away unless the heat gets on them very bad." The incident demonstrated the significant risk posed by vulnerabilities in widely used third-party software and the extensive downstream impact on organizations that rely on such platforms for critical data transfer functions.