Cyber Incident Victim: Government of Nova Scotia
Date:
Jun 2023
Location:
Canada
Summary
The Government of Nova Scotia was impacted by a global cybersecurity incident involving a zero-day vulnerability in the MOVEit file transfer application. The Clop ransomware gang exploited this flaw to access and steal the personal information of an undetermined number of residents. The province was alerted by the software vendor and took the system offline immediately, but the investigation into the full scope of the data breach was ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 1, 2023, the Government of Nova Scotia was informed by Progress Software, the developer of the MOVEit file transfer tool, of a critical security vulnerability affecting the software. This notification was part of a global response to the discovery of a zero-day vulnerability, tracked as CVE-2023-34362. Upon being notified, the provincial government immediately took its instance of the MOVEit system offline and applied a security update provided by the vendor in an effort to mitigate the threat. The initial action was taken to prevent further unauthorized access through the exploited software flaw.
The following day, on June 2, the government’s investigation advanced and officials became aware that a further and more detailed investigation was necessary. It was determined that the personal information of an unknown number of Nova Scotia residents had been accessed by an unauthorized actor. The intrusion was attributed to the exploitation of the MOVEit vulnerability, which the government described as part of a global security issue. The MOVEit system was used by the provincial government to share information more efficiently among its various agencies, indicating it handled data transfers between departments.
By Sunday, June 3, the Government of Nova Scotia issued a public warning confirming that a data theft had occurred. Cyber Security and Digital Solutions Minister Colton LeBlanc acknowledged the public anxiety the incident would cause and stated that staff were working hard to determine the precise scope of the breach. The key unknowns at the time of the announcement were the specific type of personal information that was stolen and the total number of people affected. The province committed to directly contacting any residents whose information was involved as more details were confirmed.
The threat actor behind the exploitation of the MOVEit vulnerability was identified by Microsoft as the Clop ransomware gang. This assessment was confirmed by the group itself in comments to media outlets. The group's modus operandi in this attack was assessed by cybersecurity experts as a "steal and extort" operation, similar to their previous attacks against other file transfer tools like Fortra’s GoAnywhere and Accellion’s File Transfer Appliance. Rather than attempting to encrypt systems on the victims' networks, the group focused on exfiltrating data for the purpose of extortion, threatening to release it unless a payment was made.
Progress Software reported that it responded to the discovery of the vulnerability by promptly launching an investigation and immediately alerting its customers. The company stated that within a 48-hour period, it disabled web access to MOVEit Cloud to protect those customers, developed a security patch to address the vulnerability, made the patch available to its MOVEit Transfer customers, and then patched and re-enabled MOVEit Cloud. The company also implemented third-party validations to ensure the patch corrected the exploit and engaged with federal law enforcement agencies.
The incident involving the Government of Nova Scotia was among the first confirmed in North America, alongside an incident at the University of Rochester. The global scale of the vulnerability's impact was suggested by the University of Rochester's statement, which noted the flaw had impacted approximately 2,500 organizations worldwide. Other early victims included major corporations like the BBC, British Airways, and Aer Lingus, which suffered breaches when their payroll provider, Zellis, was compromised via the same MOVEit vulnerability.
The primary consequence for the Government of Nova Scotia was the unauthorized access and theft of resident data. The specific contents of the stolen data and the number of affected individuals were not immediately known and were still under investigation at the time of the public announcement. The potential exposure of sensitive personal information held by a government agency created significant concern for residents and posed a risk of identity theft and fraud. The government's response included an ongoing investigation to determine the full scope of the impact.
The government's containment actions involved taking the vulnerable system offline immediately upon notification and applying the available patch. The investigation involved internal staff and likely external cybersecurity experts, though specific external partners were not named in the initial announcement. The public response was focused on transparency, with officials committing to provide updates as more information became available and to directly notify affected individuals. The incident highlighted the risks associated with third-party software dependencies and the rapid exploitation of zero-day vulnerabilities by sophisticated cybercriminal groups.