Cyber Incident Victim: University of Georgia

On May 27, 2023, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. This software was widely used by businesses and organizations, including the University System of Georgia (USG) and the University of Georgia (UGA), to securely share and store sensitive data. The threat actors took responsibility for these attacks, claiming to have breached hundreds of companies by stealing files stored on the servers. The gang announced that the names of these victims would be added to their data leak site on June 14th if negotiations did not occur, with a threat to begin leaking the stolen data publicly on June 21st.

Following the public disclosure of the vulnerability by Progress Software, the developer of MOVEit, the University System of Georgia was notified. A spokesperson for USG confirmed that both USG and UGA had purchased and were using the MOVEit software to store and transfer sensitive data. Upon receiving the notification, USG staff took immediate action to limit the potential damage. They quickly restricted internet access to the vulnerable MOVEit software and applied the available security patch provided by Progress Software to fix the defective code. This action was a containment measure aimed at preventing further unauthorized access.

The University System of Georgia and the University of Georgia then began an investigation to determine if they were, in fact, victims of this global cyberattack and to assess the severity of any potential data exposure. They stated they were actively monitoring the situation and would disclose any confirmed data breaches if discovered. The incident was attributed to the Clop ransomware syndicate, a Russian cyber-extortion gang described as one of the world's most prolific cybercrime syndicates. This group has a history of similar attacks, having previously breached other file-transfer programs like GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.

On June 1, 2023, the Clop gang began listing victim organizations on its data leak site, a tactic used to pressure companies into paying a ransom. Among the first thirteen companies listed were the University System of Georgia and the University of Georgia. This public listing confirmed their status as victims of the attack. Other entities listed alongside them included Shell, UnitedHealthcare Student Resources (UHSR), Heidelberger Druck, and Landal Greenparks. The listing did not initially specify whether these were related to the MOVEit attacks or separate ransomware encryption incidents, but subsequent confirmations from several companies linked them directly to the MOVEit exploitation.

The impacts of the breach were still under investigation by USG and UGA at the time of reporting. The full scope of what specific data was accessed or exfiltrated from their systems had not been publicly confirmed. In contrast, other victims provided more immediate details; Shell reported a small number of employees and customers were impacted, while Landal Greenparks disclosed that threat actors accessed the names and contact information of approximately 12,000 guests. German printing company Heidelberger Druck, while confirming its use of MOVEit Transfer, stated its analysis indicated the incident did not lead to any data breach. The University System of Georgia maintained its position that the investigation was ongoing.

The Clop gang employed a clear extortion model, demanding payments to prevent the publication of stolen data. While the specific ransom demand made to USG and UGA was not disclosed, historical context from similar attacks by the same group using vulnerabilities in Accellion FTA and GoAnywhere MFT showed that they had demanded ransoms as high as $10 million. However, it was reported that the extortion operation was not very successful in the GoAnywhere attacks, with many companies choosing to disclose data breaches rather than pay. The gang also claimed a policy of automatically deleting data stolen from government entities, though cybersecurity experts noted such claims are not verifiable and should not be trusted, with known cases of data appearing on the dark web months after ransoms were paid.

The incident was part of a much broader campaign that affected a wide range of organizations globally. Other confirmed victims included Zellis (impacting its clients BBC, Boots, and Aer Lingus), the University of Rochester, the governments of Nova Scotia, Missouri, and Illinois, and several U.S. federal agencies. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) was reported to be working with federal agencies that had been breached, including two entities within the U.S. Department of Energy. The widespread nature of the attack underscored the significant reliance on the MOVEit platform and the severe consequences of the zero-day vulnerability.

The response from the University System of Georgia involved both immediate technical containment and a longer-term investigative process. The initial response focused on mitigation by patching the system and isolating it from the internet to prevent further exploitation. The subsequent investigation aimed to determine the extent of the data exposure, what types of sensitive information were stored on the platform, and which individuals may have been affected. The universities committed to following standard disclosure protocols, indicating that affected parties would be notified if the investigation confirmed a breach of personal data. The situation remained fluid as the investigation continued alongside the public extortion pressure from the Clop ransomware gang.