Cyber Incident Victim: State of Missouri

On or around May 31, 2023, the State of Missouri Office of Administration, through its Information Technology Services Division (OA-ITSD), acknowledged it was investigating the potential impact to the state following a widespread global cyberattack. This attack was launched by a network of cyber criminals against private entities and multiple state governments. The state's investigation was initiated in response to information released by the Cybersecurity & Infrastructure Security Agency (CISA). Based on that federal guidance, the cyberattack was believed to have originated when a ransomware gang exploited a specific vulnerability. This vulnerability existed within a third-party file transfer system known as MoveIT, which is software used for secure data transfers.

Upon learning of the global incident and its potential implications, the State of Missouri promptly took action to identify its own exposure. The investigation began by quickly identifying any and all associations that state systems or agencies had with the MoveIT software. The objective was to determine the scope of the attack's footprint within Missouri's digital infrastructure and to ascertain which specific parts of state government might have been affected. The Office of Administration immediately launched a thorough investigation to determine the full extent of the cyber-attack and to identify any agencies and vendors that were potentially impacted by this event.

The investigation undertaken by the Office of Administration was comprehensive and ongoing as of the date of the public statement. The state committed to a process of public disclosure, pledging to provide notice as quickly as possible once the entities, individuals, or systems that may have been impacted were formally identified through their investigative process. This commitment to transparency was a key component of the initial response, indicating an understanding of the potential seriousness of the incident, particularly regarding the exposure of sensitive data belonging to citizens or state operations.

The core of the incident revolved around the exploitation of a zero-day vulnerability in the MoveIT Transfer application, which is developed by the company Progress Software. This vulnerability, categorized as CVE-2023-34362, is a critical SQL injection vulnerability that allows unauthenticated attackers to gain unauthorized access to MoveIT Transfer databases. Through this access, threat actors could potentially exfiltrate files stored on the system. The Clop ransomware gang claimed responsibility for the attack campaign, which involved mass-exploitation of this vulnerability to steal data from a vast number of organizations worldwide.

The attack methodology did not initially involve encryption for ransom, which is typical of most ransomware operations. Instead, the Clop gang engaged in a double-extortion scheme. They first exfiltrated large volumes of data from vulnerable MoveIT Transfer servers. Then, they threatened to publish the stolen data on their dark web leak site if a ransom payment was not received. This tactic placed significant pressure on victims, as the potential exposure of sensitive information could lead to regulatory fines, reputational damage, and other consequences separate from the operational disruption caused by system encryption.

The global scale of the attack was significant, affecting a wide array of organizations beyond state governments. Numerous federal agencies, universities, and large corporations were also compromised through the same vulnerability. The widespread impact demonstrated the severe risk posed by vulnerabilities in commonly used third-party software products, especially those that handle sensitive data transfers between organizations and their partners or constituents. The software vulnerability served as a single point of failure that could be exploited to breach hundreds of unrelated entities simultaneously.

For the State of Missouri, the primary concern was determining whether any of its data or any systems under its purview were among the vast quantity of information stolen by the threat actors. The investigation focused on mapping all use of the MoveIT application within state government to understand which departments or agencies might have been using the vulnerable software. This involved reviewing contracts with third-party vendors who provide services to the state, as those vendors could also have been using MoveIT and might have stored or processed state data on their own compromised instances.

The response actions were characterized by a methodical and cautious approach. The initial public statement served to acknowledge the event and the state's awareness of it without prematurely confirming a specific data breach. This allowed the investigation to proceed without causing undue public alarm before the facts were fully established. The state’s cybersecurity team worked to contain any potential threats by isolating systems, reviewing logs, and assessing the integrity of data stored on any identified MoveIT instances.

The potential impacts of the incident were directly tied to the nature of the data processed through the MoveIT system. Given that the software is designed for secure transfer of files, it is often used to share highly sensitive information, including personal identifiable information (PII), protected health information (PHI), financial records, and other confidential data. A successful exfiltration from a Missouri state system could therefore have consequences for the privacy and security of residents whose data was being transferred by a state agency.

The incident highlighted the challenges modern governments face in managing complex software supply chains. The attack vector was not a direct breach of Missouri's own cybersecurity defenses but rather the exploitation of a weakness in a commercial product used by the state. This meant that the state's security was partially dependent on the security practices of an external software vendor and the timely application of patches once a vulnerability was disclosed. The need for robust third-party risk management programs was underscored by this event.

As the investigation continued, the focus remained on forensic analysis to determine exactly what data, if any, was accessed or taken. This process involves meticulous examination of system logs, access records, and file transfers to establish a timeline of activity and identify any anomalous behavior consistent with the known attack patterns of the Clop ransomware group. The findings of this analysis would form the basis for any required notifications to individuals or regulatory bodies, in accordance with state and federal laws.

The State of Missouri’s coordination with federal authorities, notably CISA, was a critical element of its response. By leveraging the intelligence and guidance provided by CISA, the state’s IT division could align its investigation with the latest known indicators of compromise and tactics, techniques, and procedures (TTPs) associated with the threat actors. This collaboration is a standard part of incident response for significant cyber events, ensuring that local efforts are informed by a broader understanding of the threat landscape.

The ultimate consequences of the incident for the State of Missouri were pending the results of the formal investigation. The confirmed scope of impact, the number of affected individuals, and the type of data exposed would not be known until the forensic process was complete. The state’s commitment was to disclose these findings publicly once they were verified and to take all necessary steps to address the ramifications of any confirmed data compromise. The event served as a stark reminder of the persistent and evolving cyber threats faced by public sector entities.