Cyber Incident Victim: Southern Illinois University

The Clop ransomware group initiated a supply chain attack targeting Progress Software's MOVEit Transfer file transfer software around May 27 and May 28, 2023. The attackers exploited a previously unknown SQL injection vulnerability, designated CVE-2023-34362, which affected internet-facing MOVEit Transfer web applications. The group used this vulnerability to infect these applications with specific malware, which was then employed to steal data from the underlying MOVEit Transfer databases. Progress Software identified the flaw and released a patch on May 31, 2023. Following the initial patch, Progress discovered and patched two additional zero-day vulnerabilities in the software, though there was no indication these subsequent flaws were exploited by attackers.

The campaign impacted a wide range of organizations across multiple sectors. By late June 2023, security researchers tracking the incident estimated that approximately 150 organizations had been affected. The personal data of over 16 million individuals was compromised in these attacks. The University of Southern Illinois was named among the victim organizations in this widespread campaign. The exact mechanism of the university's compromise was consistent with the broader attack, involving the exploitation of the MOVEit software vulnerability to exfiltrate data.

The Clop group employed a double-extortion tactic. They demanded ransom payments from victim organizations in exchange for a promise to delete the stolen data and to refrain from listing the organization's name on their data leak site. The group stated they leaked victim names slowly to give larger companies time to contact them and negotiate. It remains unclear how many organizations chose to pay the ransom demand. The group also claimed to have deleted data stolen from approximately 30 government agencies or contractors, stating their motivation was purely financial and not political, in an apparent attempt to avoid becoming a national security target.

The impact of the incident was significant in terms of the volume of sensitive personal information stolen. While only about 11 victim organizations had publicly quantified the number of affected individuals by late June, their collective total already exceeded 16 million people. The stolen data varied by organization but included a vast amount of personal details. For example, the Tennessee Consolidated Retirement System reported that information on 171,836 retirees or their dependents was exposed. The states of Louisiana and Oregon both reported that information for residents who had been issued a driver's license or state ID had been stolen. The breach of these state agencies occurred because a third-party service provider, PBI Research Services, which utilized the MOVEit software, fell victim to the campaign.

The list of affected entities was extensive and spanned the public and private sectors. In the United States, federal government victims included the Department of Energy, the Department of Agriculture, and the Office of Personnel Management. State and local government victims included the Maryland Department of Health and Human Services, the Minnesota and New York City departments of education, and the states of Louisiana and Oregon. Other affected organizations included healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company, and the universities of Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Private sector victims included UCLA, Siemens Energy, Extreme Networks, consultancies EY and PwC, the American Board of Internal Medicine, Shell oil company, and U.S. financial services firms 1st Source and First National Bankers Bank. Internationally, British communications regulator Ofcom and payroll provider Zellis were also breached. The Zellis compromise led to the exposure of data from eight of its customers, including the BBC, the Boots pharmacy chain, and British Airways. Other affected customers of the third-party provider PBI included Genworth Financial and the California Public Employees' Retirement System (CalPERS), which manages the largest public pension fund in the U.S.

In response to the attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint alert to warn organizations about the exploitation. These agencies continued to probe the attacks and assist victims. The FBI's Cyber Division assistant director, Bryan Vorndran, urged all organizations affected by the Clop campaign to alert the bureau if they had not already done so. The director of CISA, Jen Easterly, provided an assessment that the agency had not seen and did not expect to see any "significant impacts" from what it characterized as Clop's "opportunistic" campaign. Easterly stated that although officials were very concerned, the campaign did not pose a systemic risk akin to the SolarWinds incident. The primary consequences for affected organizations were the financial costs associated with investigating the breach, notifying affected individuals, and providing credit monitoring services. The long-term ramifications of such a large-scale theft of personal data remained to be fully understood as the incident continued to develop.