Cyber Incident Victim: University System of Georgia

On or around May 27, 2023, the Clop ransomware gang exploited a zero-day vulnerability in the MOVEit Transfer secure file transfer platform. This global attack targeted numerous organizations that utilized the software to store and share sensitive data. The University System of Georgia (USG) and the University of Georgia (UGA) were among the entities whose MOVEit secure repositories were compromised in this incident. The threat actors took responsibility for the attacks, claiming to have breached hundreds of companies. They issued a warning that the names of these victims would be added to their data leak site on June 14th if negotiations did not occur, with a further threat to begin leaking stolen data publicly on June 21st.

Progress Software, the maker of MOVEit, alerted its users to the vulnerability and provided a patch on May 31st. Upon receiving this notification, USG staff acted swiftly to limit internet access to the compromised software and applied the provided patch to fix the code. The initial statement from a USG spokesperson acknowledged that the zero-day defect had likely allowed cybercriminals unauthorized access to information stored in their MOVEit repositories. The organization immediately began an investigation to determine the scope and severity of the potential data exposure. Both USG and UGA confirmed to media outlets that they were impacted in varying degrees by the MOVEit attacks and were actively investigating to determine if a data breach had occurred.

The software had been purchased by USG through a contract with CDW Government LLC. On March 28, 2023, prior to the incident, USG had signed a contract for a year of technical support for MOVEit for approximately $15,000. Following the attack, internal communications were initiated by USG leadership. On the afternoon of June 15, Timothy Chester, the interim vice chancellor and chief information officer for the Board of Regents' information technology services, emailed a representative of Progress Software named Tim Murphy. Chester expressed a desire to have a call with responsible executives at Progress Software to convey concern and to gauge the company's response to remedying known vulnerabilities and identifying future ones. Murphy responded that he was traveling but might have availability the following day or week. Chester followed up on the morning of June 16, emphasizing the need for visibility into how Progress was managing these vulnerabilities ahead of a report he had to relay to the USG board.

The Clop gang followed through on its threat, and on June 14th, it began listing victim companies on its data leak site. Among the first thirteen companies listed were Shell, UnitedHealthcare Student Resources (UHSR), the University System of Georgia (USG), the University of Georgia (UGA), Heidelberger Druck, and Landal Greenparks. The listing of these organizations on the extortion site confirmed them as victims of the data-theft campaign. The public confirmation from USG and UGA came on June 15th, aligning with the threat actors' timeline. Other known victims of the wider campaign included various U.S. state governments, federal agencies including two Department of Energy entities, the government of Nova Scotia, and major corporations like British Airways and the BBC.

The direct impacts and specific contents of the data stolen from USG's systems were not fully detailed in the immediate aftermath. The investigation was ongoing to discover any breaches. In contrast, other victims provided more specific details; for example, Landal Greenparks reported that threat actors accessed the names and contact information for approximately 12,000 guests. The Clop gang claimed it automatically deleted data stolen from government entities, though such claims are impossible to verify, and stolen data must be assumed to be at risk. The gang has a history of breaching file-transfer programs like GoAnywhere and Accellion FTA to extort victims, often demanding ransoms as high as $10 million to prevent the leaking of stolen information.

The response from USG involved both technical containment and administrative actions. Technically, the immediate response was to restrict access to the vulnerable system and apply the security patch. Administratively, the organization began complying with public records requests related to the incident. USG released documents including the contract for the MOVEit software support and email communications between its staff and Progress Software representatives. These releases were made in response to requests from media organizations seeking to understand the procurement and response aspects of the security incident. The released records detailed the financial commitment to the software and the high-level concerns raised by USG leadership with the software vendor regarding the vulnerability and its management.

The broader consequences of the incident placed USG within a significant global cybersecurity event. The attack was attributed to a Russian cyber-extortion gang, identified as one of the world's most prolific cybercrime syndicates. This group has a documented history of not always keeping its word regarding the deletion of data, even after ransoms are paid. The incident underscored the risks associated with third-party software vulnerabilities and the extensive supply chain attacks that can result from a single exploit. For USG, the event triggered an internal review process and necessitated reporting to its governing board, highlighting the operational and reputational ramifications of the data breach. The full extent of the data compromised from USG systems and any subsequent misuse remained under investigation.