Cyber Incident Victim: City National Bank

On or around June 16, 2023, multiple U.S. federal agencies were identified as being affected by intrusions related to the exploitation of a vulnerability in the MOVEit Transfer software. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed it was providing support to these agencies. The US Energy Department was specifically named by CISA as one of the federal agencies hit in these attacks. This incident was part of a broader global campaign affecting hundreds of organizations. The threat actor behind this widespread exploitation was the Cl0p ransomware gang. The group exploited a zero-day vulnerability in the MOVEit file transfer platform, which is software made and distributed by the American company Progress. The technical method of exploitation was via an SQL injection attack against the software's database.

The US Department of Health and Human Services (HHS) was confirmed to be among the agencies affected, though its own systems and networks were not compromised. Instead, attackers gained access to HHS data by exploiting the vulnerability in the MOVEit Transfer software that was operated by third-party vendors. A source indicated that tens of thousands of records held by HHS could have been exposed as a result of this breach. CISA executive assistant director Eric Goldstein and CISA director Jen Easterly both commented on the federal agency intrusions, with Easterly noting there was minimal impact from those specific attacks.

Prior to these government disclosures, the Cl0p gang had set a ransom deadline. They threatened to release the names of their victims and publish stolen data if a ransom demand was not met by June 14th. Following this deadline, the gang began to publicly claim victims on its dark web leak site. On June 29th, the gang posted the names of two major multinational law firms: Kirkland & Ellis LLP, a client services firm based in New York City, and K&L Gates LLP, a corporate law firm headquartered in Pittsburgh, Pennsylvania. Neither firm publicly confirmed the hack at that time.

Early on the morning of June 29th, the Cl0p gang added additional organizations to its leak site. These new additions included The Harrington Company, a Minnesota business firm, and City National Bank located in Miami, Florida. The public listing on the leak site indicated that data allegedly stolen from these entities was in the possession of the threat actors and was subject to potential publication. The gang made a specific vow on its leak site regarding government data, claiming it would delete any such information and stating its interest was solely in holding private businesses accountable for their security deficiencies.

The scope of the MOVEit attacks was extensive, impacting major players across various sectors beyond government and law. Other victims named during this period included Siemens Energy, the University of California Los Angeles (UCLA), and the New York City Department of Education. The breach at the New York City Department of Education was particularly significant, resulting in the exposure of the names of 45,000 students. This incident followed a pattern of previous attacks by the same group, which was also responsible for exploiting a zero-day vulnerability in the Fortra GoAnywhere file management system that compromised at least 130 organizations in the spring of 2023.

In response to the ongoing threat posed by the Cl0p gang, the U.S. government announced a monetary reward on June 19th. This reward, offering up to $10 million, was for information leading to the identification or location of any individuals who held a key leadership position within the Cl0p ransomware group. This action represented a significant law enforcement effort to disrupt the group's operations and bring its members to justice. The cybercriminal group was characterized by a TrendMicro vice president as persistent, with the observation that "they aren't going away" unless significant pressure was applied.