Cyber Incident Victim: Oak Ridge Associated Universities
Date:
May 2023
Location:
United States of America
Summary
A Russia-linked ransomware group known as Clop exploited a vulnerability in the MOVEit Transfer file-sharing tool to breach multiple U.S. federal agencies, including two Department of Energy entities—Oak Ridge Associated Universities and a Waste Isolation Pilot Plant—compromising personally identifiable information of employees and contractors. The Cybersecurity and Infrastructure Security Agency confirmed the intrusions as opportunistic attacks, noting no evidence of data theft or extortion targeting government systems, while the attackers claimed to have erased government data and listed additional victims across financial, media, and biotechnology sectors. Progress Software issued patches for newly discovered vulnerabilities as the incident continued to impact organizations globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2023, multiple U.S. federal agencies were compromised through exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed "several" agencies experienced intrusions attributed to the Russia-linked Clop ransomware gang. The Department of Energy (DOE) publicly acknowledged two of its entities—Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico—were among the victims. These breaches exposed personally identifiable information (PII) of potentially tens of thousands of individuals, including Energy Department employees and contractors. Upon discovery, DOE implemented immediate measures to prevent further exploitation of the vulnerability and formally notified CISA, Congress, and law enforcement agencies. The department initiated collaboration with CISA and affected entities to investigate the incident and mitigate breach impacts. CISA Director Jen Easterly characterized the attacks as opportunistic, noting no evidence suggested theft of high-value information or persistent access to government systems. At the time of reporting, Clop had not listed U.S. government agencies on its dark web leak site and claimed to have erased government data, though it continued adding non-governmental victims like the Boston Globe and Enzo Biochem.
The incident emerged amid Clop's systematic exploitation of the MOVEit vulnerability, with the group listing its first batch of victims—including Shell and U.S. financial institutions—days before federal breaches were confirmed. Progress Software issued patches for a newly discovered vulnerability (CVE-2023-35708) during the response period, though its relevance to the federal breaches remained unspecified. CISA coordinated urgent remediation efforts with impacted agencies while emphasizing no verified threats of data extortion or release targeting government entities. Federal procurement records indicated approximately a dozen U.S. agencies maintained active MOVEit contracts, including the Departments of the Army and Air Force, though specific breach confirmations beyond the two DOE entities were undisclosed. The compromise at Oak Ridge Associated Universities and the Waste Isolation Pilot Plant represented one of the earliest confirmed federal casualties in a global campaign that subsequently affected numerous private-sector organizations.