Cyber Incident Victim: Marylands Department of Health and Human Services

The Maryland Department of Human Services was identified as a victim of a widespread cybersecurity incident involving the compromise of the MOVEit file transfer software in June 2023. The department was part of a larger group of state and federal agencies affected by this event, which included the Colorado Department of Health Care Policy and Financing, the U.S. Department of Agriculture, and the U.S. Office of Personnel Management. The incident was attributed to the CL0P ransomware gang, a known cyber threat group.

On June 17, 2023, the state of Maryland issued an official announcement confirming that the Maryland Department of Human Services had been affected. The state's Department of Information Technology’s Office of Security Management initiated an investigation to determine the scope of the incident and to assess whether any other state agencies had been impacted. The investigation was conducted to understand the extent of any potential data compromise. The state's announcement also stated that there was no current indication that any stolen data had been sold, used, shared, or released by the attackers. Furthermore, the attackers had not made contact with the state of Maryland to make any extortion demands.

In response to the incident, the Governor’s Office and the Maryland Department of Information Technology committed to continuing to monitor for vulnerabilities, apply necessary security patching, and coordinate the response among all state agencies and entities that were potentially involved. The state's IT department alerted its contacts, emergency coordinators, and local emergency managers about the situation. These parties were advised to review the cybersecurity advisory on the incident issued by the Cybersecurity and Infrastructure Security Agency (CISA). The state IT department also made itself available to assist these parties in patching any potential vulnerabilities within their systems to prevent further exploitation.

The compromise did not originate from a direct breach of the Maryland Department of Human Services' own systems. Instead, the impact reached the department through a third-party vendor that utilized the vulnerable MOVEit software. This method of attack was consistent with other victims, such as the Colorado Department of Health Care Policy and Financing, which also reported that its data was exposed via a third-party vendor's use of MOVEit, not through a direct breach of its own infrastructure. The CL0P gang exploited a zero-day vulnerability in the MOVEit application to gain unauthorized access to files being transferred by numerous organizations worldwide.

While the CL0P ransomware gang publicly claimed that it deleted all data stolen from government agencies, reports from other federal victims suggested this claim might not be accurate. The U.S. Department of Energy reported that two of its entities had received individual ransomware notes from the gang, indicating that extortion attempts were still being made. A spokesperson for the Department of Energy stated that the entities, Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, did not engage with the threat actors. In reaction to the broader threat posed by CL0P and similar groups, the U.S. State Department announced a reward of up to $10 million for information leading to the identification of any malicious cyber actors targeting U.S. critical infrastructure in connection with a foreign government. This bounty was offered through the department’s Rewards for Justice program.

The primary impact of the incident on the Maryland Department of Human Services was the potential compromise of data. The exact nature and scope of the data affected were under investigation at the time of the state's June 17 announcement. The department provides critical social services to Maryland residents, and such data could include personally identifiable information. The state's response focused on investigation, coordination, and applying security patches to prevent further unauthorized access. The announcement aimed to provide transparency while the investigation was ongoing, and the state committed to notifying individuals if their data was determined to have been compromised.