Cyber Incident Victim: Johns Hopkins University

On or around May 28, 2023, a cybersecurity incident was identified at Johns Hopkins University. The incident is believed to be related to a mass exploitation campaign conducted by the Russia-linked ransomware gang known as Clop. This group had been actively exploiting a critical security vulnerability in MOVEit Transfer, a popular corporate file transfer tool developed by Progress Software. The gang had been exploiting this flaw since late May, compromising the systems of numerous organizations that used the software to share large files over the internet. Progress Software subsequently released a patch for the vulnerability, but this action occurred after many of its customers had already been compromised.

The Clop gang employed a unique tactic during this campaign. Unlike typical ransomware operations that directly contact victims to demand payment, Clop took the unusual step of not contacting the organizations it had hacked. Instead, the group posted a blackmail message on its dark web leak site, instructing victims to contact the gang prior to a June 14 deadline. The gang claimed to have downloaded a significant amount of data from the compromised systems. On June 15, Clop began listing the first batch of organizations it claimed to have hacked by exploiting the MOVEit flaw. This public listing of victims on their dark web site served as a form of public pressure to extort payments.

Johns Hopkins University confirmed it was a victim of this incident during the week of June 12, 2023. The university issued a public statement acknowledging a cybersecurity incident that was believed to be connected to the broader MOVEit mass-hack. The university stated that the data breach may have impacted sensitive personal and financial information. The types of data potentially exposed included individuals' names, contact information, and health billing records. The incident was part of a wider wave of attacks that affected a diverse range of sectors, including financial services, energy, government, and education.

The full scope and scale of the attack on Johns Hopkins University's systems, including the specific number of individuals affected, were not immediately disclosed. The university began an evaluation process to determine the precise scope and severity of the potential data exposure. This process involved analyzing which systems were accessed and what specific data types were exfiltrated by the threat actors. The incident was part of a much larger global attack campaign. Other notable victims listed by Clop or confirming compromise included U.S. banks like 1st Source and First National Bankers Bank, investment firm Putnam Investments, the University System of Georgia, the U.K. energy giant Shell, and the U.K. communications regulator Ofcom. Ofcom confirmed that confidential information about the companies it regulates, along with the personal data of 412 of its employees, was accessed.

The attack vector was the exploitation of a zero-day vulnerability in the MOVEit Transfer software. Security researchers from the American risk consulting firm Kroll reported that Clop may have been experimenting with ways to exploit this specific vulnerability for almost two years, dating back to 2021, indicating a high level of sophisticated knowledge and planning prior to the mass exploitation event in May 2023. This was not Clop's first mass-attack; the group was also responsible for previous campaigns that exploited flaws in other file transfer tools, including Fortra’s GoAnywhere and Accellion’s file transfer application.

In response to the incident, Johns Hopkins University initiated its standard procedures for evaluating a potential data breach. The university's response included assessing the nature of the data that was potentially exposed and determining the appropriate next steps. The university stated that, consistent with federal and state laws, notifications would be issued to any individuals whose information was affected if the evaluation concluded that a breach of personal data had occurred. The primary consequence of the incident was the potential compromise of sensitive personal and financial information, which carried inherent risks of misuse for the individuals involved. The university's public confirmation served as an initial step in its transparency and response efforts following the attack.