Cyber Incident Victim: Boston Globe
Date:
May 2023
Location:
United States of America
Summary
A Russia-linked ransomware group known as Clop exploited a vulnerability in the MOVEit Transfer file-sharing tool, compromising multiple U.S. federal agencies including two Department of Energy entities, which exposed personally identifiable information of employees and contractors. The attackers listed additional victims such as a prominent media organization, financial institutions, and biotechnology firms, though they claimed to have erased government data without extortion attempts. Progress Software addressed a subsequent vulnerability in the tool as new victims emerged, while impacted agencies collaborated with cybersecurity authorities to investigate and mitigate breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The MOVEit Transfer breach emerged in late May 2023 when threat actors exploited a critical vulnerability in Progress Software's enterprise file transfer tool, impacting multiple U.S. federal agencies and private organizations. The Cybersecurity and Infrastructure Security Agency (CISA) confirmed "several" federal agencies experienced intrusions linked to this vulnerability, attributing the attacks to the Russia-linked Clop ransomware gang. While CISA did not disclose the number or names of all affected agencies, the Department of Energy verified that two of its entities—Oak Ridge Associated Universities and the Waste Isolation Pilot Plant in New Mexico—suffered compromises exposing personally identifiable information of tens of thousands of employees and contractors. Federal procurement records indicated approximately a dozen additional agencies had active MOVEit contracts, including the Department of the Army, Department of the Air Force, and Food and Drug Administration. Clop began publicly listing victim organizations on its dark web leak site, initially naming U.S. financial institutions like 1st Source and First National Bankers Bank alongside international entities such as Shell.
CISA Director Jen Easterly stated during a June press conference that the agency was collaborating with impacted entities to investigate and remediate breaches, characterizing the attacks as opportunistic rather than targeted at high-value data or persistent network access. While Easterly confirmed no evidence of data exfiltration or extortion attempts against government agencies, Clop claimed to have erased government data and refrained from listing agencies as victims. Meanwhile, the ransomware group expanded its public victim list to include the Boston Globe, East Western Bank, biotechnology firm Enzo Biochem, and Microsoft-owned Nuance. Progress Software disclosed a subsequent vulnerability (CVE-2023-35708) in MOVEit Transfer, prompting additional patches to prevent unauthorized access. The Department of Energy notified Congress, law enforcement, and CISA about its breaches, initiating mitigation efforts without public confirmation from most newly listed private-sector victims regarding compromise details or data impacts.