Cyber Incident Victim: Waste Isolation Pilot Plant
Date:
May 2023
Location:
United States of America
Summary
A Russia-linked ransomware group exploited a vulnerability in the MOVEit Transfer file-sharing tool to breach multiple U.S. federal agencies, including two Department of Energy entities—one being the Waste Isolation Pilot Plant—compromising personally identifiable information of potentially tens of thousands of employees and contractors. The attackers claimed to have erased government data, though the Department of Energy implemented immediate mitigation measures and coordinated with cybersecurity authorities to investigate and limit impacts, while the broader incident affected additional organizations across sectors including finance and biotechnology.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The U.S. government confirmed in late May 2023 that multiple federal agencies were compromised through exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. The Cybersecurity and Infrastructure Security Agency (CISA) attributed the attacks to the Russia-linked Clop ransomware gang, which had begun publicly listing organizations allegedly compromised via the MOVEit flaw. While CISA did not disclose the number or names of affected agencies, the Department of Energy (DOE) confirmed two of its entities were breached: Oak Ridge Associated Universities and the Waste Isolation Pilot Plant (WIPP) in New Mexico. The breach exposed personally identifiable information (PII) of potentially tens of thousands of individuals, including DOE employees and contractors. Upon discovery, the DOE implemented immediate measures to prevent further vulnerability exposure and notified CISA, Congress, law enforcement, and relevant entities to investigate and mitigate impacts.
CISA Director Jen Easterly characterized the intrusions as opportunistic rather than targeted at high-value information or persistent access, noting no evidence of Clop threatening to extort or release stolen U.S. government data. Clop subsequently claimed to have erased government data and refrained from listing agencies as victims on its dark web leak site, despite adding other organizations like the Boston Globe and Enzo Biochem to its victim list. Concurrently, Progress Software addressed a newly discovered vulnerability (CVE-2023-35708) in MOVEit Transfer that risked unauthorized access to customer environments. Federal records indicated approximately a dozen U.S. agencies maintained active MOVEit contracts at the time, including the Department of the Army and the Food and Drug Administration, though their breach status remained unconfirmed. CISA continued collaborating with impacted agencies to assess and remediate the incident as investigations progressed.