Cyber Incident Victim: Office of Personnel Management

A third vulnerability affecting the MOVEit file transfer tool was identified and disclosed by Progress Software, the company behind the product, on or around June 17, 2023. Tracked as CVE-2023-35708, this newly discovered bug could potentially grant hackers escalated privileges and unauthorized access to a victim’s environment. Progress Software stated that an "independent source" disclosed this new vulnerability. The company reported that at the time of disclosure, they had not seen indications that this new vulnerability had been exploited. They developed a patch to address the issue and communicated with customers on the necessary steps to further harden their environments. Progress Software also noted they had been coordinating with federal law enforcement and other agencies regarding the matter. In its advisory, Progress warned that it was "extremely important" that all MOVEit customers take immediate action to address the issue, noting that customers needed to patch the initial vulnerabilities before applying this latest fix. The Cybersecurity and Infrastructure Security Agency (CISA) urged organizations to review Progress’ advisory about the new bug.

This vulnerability was the third to be discovered in the popular file transfer tool. A security researcher who goes by MCKSys Argentina on Twitter discovered the third issue while examining the previous findings related to the second MOVEit vulnerability. The researcher discovered that the patch for the previous vulnerabilities would still be vulnerable to other attack methods, which led to the discovery of this third zero-day vulnerability. The attack method previously used by the Clop ransomware hackers involved three separate steps, but this newest vulnerability allowed them to shorten the attack to just two steps. A senior security researcher involved in the disclosure of the second vulnerability noted that the MOVEit Transfer application could be attacked in multiple ways and that the discovery of more issues was unsurprising as security researchers continued to scrutinize the software.

The discovery of these vulnerabilities, beginning with the first, created a significant incident with widespread impacts. Dozens of entities reported data breaches stemming from the exploitation of these flaws. The Clop ransomware group exploited the initial vulnerabilities to steal data from numerous organizations. On June 15, 2023, CISA revealed that "several" federal agencies were impacted by these MOVEit-related cyberattacks. The Department of Energy confirmed that two entities under its umbrella were affected by the incident.

The U.S. Department of Agriculture (USDA) stated it may have been hit by the Clop group. A USDA spokesperson said the department was aware of a possible data breach with a vendor that may impact a very small number of employees. The spokesperson noted that any employees whose data may have been affected would be contacted and provided support. The USDA's breach investigation had not been previously reported. Spokespeople for the Department of Labor, the Department of Education, and the Department of the Interior said they were not affected by the incident. Both the State Department and the Defense Department declined to comment on whether they were impacted. Several other federal agencies did not respond to requests for comment. House Energy and Commerce Chair Cathy McMorris Rodgers and Committee Ranking Member Frank Pallone asked for a briefing about the issue from the White House and the Department of Energy.

Numerous state-level government organizations also announced breaches connected to the MOVEit vulnerabilities. Agencies in Illinois, Missouri, and Minnesota stated they were investigating potential data breaches related to MOVEit that affected thousands of people. The motor vehicle departments in both Oregon and Louisiana confirmed they were affected by the attacks. The state of Louisiana issued a statement saying that all Louisianans with a state-issued driver’s license, ID, or car registration have "likely" had their personal information accessed. This information included names, Social Security numbers, dates of birth, physical attributes, driver’s license numbers, and vehicle registration information.

Oregon’s Department of Transportation confirmed that the personal information of approximately 3.5 million holders of Oregon IDs or driver’s licenses was affected by the breach. The department's analysis identified multiple files shared via MOVEit Transfer that were accessed by unauthorized actors before they received the security alert. The department stated it did not have the ability to identify if any specific individual’s data had been breached and advised individuals who have an active Oregon ID or driver’s license to assume information related to that ID is part of this breach.

By June 17, 2023, a ransomware expert from Emsisoft reported that 63 victims had either been named by the Clop group on its dark web leak site or had come forward to announce breaches. The expert noted that while the full number of affected organizations was not yet known, the incident may well turn out to be one of the most wide-ranging and significant breaches of recent years. The scope of the breach was such that companies providing credit monitoring services were anticipated to see a significant increase in business. The Clop ransomware group claimed to have deleted all government-related data it had stolen, though this claim could not be independently verified at the time. The incident involved the large-scale exfiltration of sensitive personal information from a wide array of victims, primarily through the exploitation of vulnerabilities in a widely used commercial file transfer application. The response involved coordinated efforts from the software vendor, federal law enforcement, and cybersecurity agencies to patch systems and mitigate the ongoing threat.