Cyber Incident Victim: Nuance Communications, Inc.
Date:
May 2023
Location:
United States of America
Summary
A Russia-linked ransomware group known as Clop exploited a vulnerability in the MOVEit Transfer file-sharing tool to compromise multiple organizations, including Microsoft-owned AI firm Nuance Communications. The breach impacted several U.S. federal agencies, with the Department of Energy confirming two affected entities that exposed personally identifiable information of employees and contractors. While Clop claimed to have erased government data and refrained from listing agencies as victims, it publicly named Nuance alongside other corporate targets. The attackers leveraged the flaw for opportunistic data theft rather than targeted espionage, with no confirmed extortion attempts against government entities. Progress Software, the developer of MOVEit, subsequently patched an additional vulnerability that risked unauthorized access to customer environments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late May 2023, the Russia-linked Clop ransomware gang exploited a critical vulnerability in Progress Software's MOVEit Transfer file transfer tool, compromising multiple U.S. federal agencies and private sector organizations. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed "several" federal agencies experienced intrusions through this vulnerability, though it did not disclose specific agency names or the total number affected. The Department of Energy (DOE) independently confirmed two of its entities—Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico—were breached, exposing personally identifiable information (PII) of tens of thousands of employees and contractors. CISA Director Jen Easterly characterized the attacks as "largely opportunistic," clarifying that intruders did not target high-value information or attempt persistent access to government systems. While Easterly stated no evidence indicated Clop had threatened to extort or release stolen U.S. government data, the attackers claimed on their dark web leak site to have erased government data and refrained from listing agencies as victims. Progress Software issued patches for the original MOVEit vulnerability but subsequently disclosed a new flaw (CVE-2023-35708) that risked unauthorized access to customer environments, prompting additional remediation efforts.
Clop began publicly listing non-governmental victims on its leak site starting May 30, initially naming U.S. financial institutions 1st Source and First National Bankers Bank alongside U.K. energy company Shell. On May 31, the group added Microsoft-owned AI firm Nuance Communications, the Boston Globe, California-based East Western Bank, and New York biotechnology company Enzo Biochem to its victim list. None of these newly listed organizations, including Nuance, responded to media inquiries about the claims. The Federal Data Procurement System identified approximately a dozen additional U.S. agencies with active MOVEit contracts, including the Department of the Army, Department of the Air Force, and Food and Drug Administration, though their breach status remained unconfirmed. CISA coordinated urgent impact assessments and remediation with affected federal entities, while the DOE notified Congress, law enforcement, and CISA, implementing measures to contain further exposure. The incident highlighted widespread reliance on MOVEit Transfer software across critical infrastructure sectors, with ongoing investigations focused on determining the full scope of data exfiltration.