Cyber Incident Victim: U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services was affected by a wide-ranging cyber incident that became public knowledge on June 28, 2023. The attack centered on the exploitation of a vulnerability within MOVEit Transfer, a commercial file management tool developed by Progress Software. According to a source at HHS, while no internal HHS systems or networks were directly compromised, attackers successfully gained access to department data. This breach occurred through the exploitation of the software vulnerability present at third-party vendors utilized by HHS. A health department official familiar with the matter confirmed this chain of events, stating that the attackers specifically targeted the weak point in the vendors' MOVEit Transfer software to exfiltrate information.

The ransomware gang known as cl0p was identified as the perpetrator behind this massive breach. Cybersecurity researchers believe cl0p to be a Russian-speaking group of hackers. The group employed a method of gaining access to a wide swathe of organizations' data by compromising the MOVEit Transfer application. This tool is used by numerous organizations for secure file transfers, and its vulnerability provided a single point of failure that could be leveraged against many entities simultaneously. On the same day it was revealed that HHS was affected, cl0p also publicly claimed credit for stealing data from two major law firms, Kirkland & Ellis LLP and K&L Gates LLP. The group posted the names of these firms to its dedicated leak site, an action typically interpreted as a sign that any negotiations between the victims and the hackers had broken down and that the stolen data was likely to be published.

Notably, the name of the U.S. Department of Health and Human Services did not appear on cl0p's list of purported victims published to its leak site. This omission was consistent with the group's previously stated position that it does not deliberately steal data from government organizations. However, this public claim did not mean that government data remained uncompromised, as the incident involving HHS demonstrated that data could be accessed indirectly through third-party service providers. The claims made by the hackers regarding the law firms could not be immediately verified, as representatives for Kirkland & Ellis and K&L Gates did not immediately return messages seeking comment after hours.

The scope of the data exposure for HHS was reported by Bloomberg, which cited a person familiar with the incident at the department. This reporting indicated that tens of thousands of records could have been exposed as a result of the attack on the third-party vendors. The exact nature and sensitivity of the exposed records belonging to HHS were not detailed in the immediate aftermath of the disclosure. The incident was part of a much broader campaign affecting countless organizations that utilized the vulnerable MOVEit Transfer software, making it a wide-ranging and significant cybersecurity event.

A spokesperson for HHS could not be immediately reached for comment on the day the news broke. The official statement provided by the department through an official familiar with the matter emphasized that its own infrastructure remained secure and that the compromise was limited to the vendors' systems. This distinction highlighted the increasing cybersecurity challenge posed by supply chain attacks, where a breach of a single software provider or vendor can lead to the compromise of data across its entire client base. The response from HHS involved acknowledging the incident and clarifying the point of entry, which was through its vendors rather than a direct intrusion into its networks.

The cybersecurity firm TrendMicro provided analysis on the cl0p group. Jon Clay, the vice president for threat intelligence at the firm, described cl0p as a resourceful group with little incentive to stop its extortion activities. Speaking to Reuters ahead of the latest claims involving the law firms, Clay characterized the group as persistent, noting that they were unlikely to cease operations unless significant pressure was applied to them. His assessment pointed to the profitable nature of their ransomware campaigns and their ability to continue exploiting vulnerabilities for financial gain. The group did not immediately return an email seeking comment on its actions, maintaining its opaque and non-communicative stance with the media following its initial claims. The incident involving HHS underscored the persistent threat posed by sophisticated cybercriminal groups targeting widely used software to maximize the impact of their attacks and the difficulty in completely mitigating such threats across complex organizational ecosystems.