Cyber Incident Victim: Missouri's Office of Administration, Information Services and Technology Division

On or around May 31, 2023, Missouri’s Office of Administration, Information Services and Technology Division (OA-ITSD) initiated an investigation into a potential data breach following the exploitation of a vulnerability in the MOVEit file transfer product. The state agency, which utilizes MOVEit to transfer files and information between state agencies, stated it was in the process of investigating what data may have been taken by hackers during this cyberattack. The Office of Administration immediately launched a thorough investigation to determine the extent of the cyberattack and to identify any agencies and vendors potentially impacted. This incident was identified as part of a larger campaign attributed to the Clop ransomware group, which had publicly claimed to have stolen data from hundreds of organizations through the same vulnerability, tracked as CVE-2023-34362.

The investigation undertaken by Missouri’s OA-ITSD was described as ongoing, with a commitment to issue public notice as quickly as possible once the entities, individuals, or systems that may have been impacted were identified. The agency’s statement confirmed the state quickly identified any associations with the MOVEit system upon learning of the vulnerability. This response was contemporaneous with actions taken by other entities, including the state of Illinois, which also announced an investigation into a MOVEit-related data breach. The Clop ransomware group later released a public message claiming they had deleted all data taken from government agencies, cities, or police departments, though numerous governments and major companies worldwide confirmed their data had been accessed.

The vulnerability in the MOVEit software was patched by its developer, Progress, by May 31. This patching timeline aligns with the initial response actions taken by affected organizations. The specific technical nature of the vulnerability allowed for significant exploitation. According to analysis from cybersecurity firm Horizon3.ai, proof of concept code for exploiting the vulnerability provided attackers with cleartext credentials for the provisioned sysadmin account, database credentials, and the service credential. These are considered high-value targets for lateral movement within a compromised network, potentially allowing attackers to expand their access and exfiltrate more data.

The scope of the incident involving Missouri’s systems was not immediately detailed in the initial announcements. The investigation aimed to determine which state agencies and external vendors that interacted with the OA-ITSD’s MOVEit system were affected. The agency’s public statements did not confirm the specific number of individuals or records involved, noting that this determination was a key objective of the ongoing forensic investigation. The broader campaign impacted a wide array of organizations globally, including the governments of Nova Scotia and Illinois, the University of Rochester, Britain’s communications regulator Ofcom, the BBC, British Airways, Irish carrier Aer Lingus, Boots, and Minnesota’s Department of Education, which announced a breach involving hundreds of thousands of students.

In terms of response, Missouri’s OA-ITSD focused on a thorough investigation to map the full extent of the compromise. The agency did not publicly detail specific containment actions such as disconnecting systems, but its emphasis on a swift investigation suggests immediate steps were taken to assess and secure the affected environment. This approach mirrors the response of Illinois Department of Innovation & Technology, which disconnected all systems associated with MOVEit on May 31 and hired an incident response team to conduct a forensic analysis. Illinois officials also utilized attacker “fingerprints” identified by the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to help map the extent of their attack.

The impact of the incident on Missouri state operations and citizens was pending the outcome of the investigation. The primary consequence was the potential exposure of sensitive data transferred between state agencies using the MOVEit platform. The agency committed to establishing a call center for victims with questions once the investigation identified affected individuals. The widespread use of MOVEit across large organizations, particularly in the United States, underscored the potential scale of the incident; security company Censys noted that nearly 30% of the companies observed using MOVEit have over 10,000 employees, with 8% of hosts in the government and military sector.

Progress, the company behind MOVEit, announced a second vulnerability within its software on June 9, which was subsequently patched. This indicates a continuing security concern surrounding the platform during this timeframe. The response from Missouri’s OA-ITSD remained focused on the initial vulnerability and investigation, with no public statement regarding the second vulnerability cited in the reporting. The core objective of the state’s response was to determine the scope of the data theft and to provide appropriate notification to those impacted, in line with standard post-breach procedures. The full extent of data exfiltrated from Missouri’s systems and the final count of affected individuals were not disclosed in the immediate aftermath of the incident, as the investigation was still ongoing at the time of the report.