Cyber Incident Victim: U.S. Department of Health and Human Services

The U.S. Department of Health and Human Services (HHS) was confirmed on June 28, 2023, to have been affected by a wide-ranging cyber incident centered on a vulnerability in a third-party software application known as MOVEit Transfer, which is a commercial file management tool produced by Progress Software. According to a source at HHS, while no internal HHS systems or networks were directly compromised, attackers were able to gain access to department data by exploiting the software vulnerability within the systems of its third-party vendors. This method of attack meant the breach was indirect, occurring through the department's external partners and suppliers who utilized the vulnerable file transfer software in their operations with HHS. The incident was part of a much broader campaign impacting a wide swathe of organizations.

The ransomware gang known as cl0p was identified as being behind the massive breach. Researchers believe cl0p to be a Russian-speaking group of hackers. The group was able to gain access to data from numerous organizations by compromising the MOVEit Transfer software. On the same day the HHS impact was reported, cl0p also claimed credit for stealing data from two major law firms, Kirkland & Ellis LLP and K&L Gates LLP. The group posted the names of these firms to its dark web leak site, an action typically interpreted as a sign that negotiations between the victims and the hackers had broken down and that the stolen data was threatened with public release. The claims regarding the law firms could not be immediately verified, as the firms did not immediately return messages seeking comment.

HHS's name did not appear on cl0p's list of purported victims published on its leak site. The group has previously insisted it does not deliberately steal data from government organizations. However, this stated policy does not mean that government data cannot be compromised, as evidenced by the HHS incident, which occurred when data was held by a third-party vendor rather than on a direct government system. A Bloomberg report, cited alongside the Reuters reporting, indicated that tens of thousands of HHS records could have been exposed due to the exploitation of the vendor's systems. The scope of the data exposure for HHS was characterized through this estimate, though the specific types of records or individuals affected were not detailed in the immediate reporting.

The official statement from a health department official familiar with the matter clarified the nature of the compromise, emphasizing that the attack vector was through a third party. The statement confirmed that attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of those vendors. This distinction was crucial, as it indicated that the direct infrastructure of the Department of Health and Human Services itself remained secure and was not penetrated by the threat actors. The response from HHS involved acknowledging the incident through an official source and providing a factual statement regarding the breach's mechanism.

The broader impact of the MOVEit vulnerability was significant, with cl0p compromising the software to access data from a large number of entities. A cybersecurity expert from TrendMicro, Jon Clay, the vice president for threat intelligence, described cl0p as a resourceful group with little incentive to stop its extortion activities. Speaking about the group's broader campaign, he stated, "They aren't going away," suggesting the group would continue its operations unless significant pressure was applied to them. The incident involving HHS was therefore one component of a widespread and ongoing cyber criminal spree targeting users of a common software product. The public reporting of the event served as the primary means of disclosing the incident, as official channels from the affected entities provided limited immediate commentary.