Share this article on:
Five months after the breach occurred, high-profile targets continue to join the long list of victims affected by the MOVEit hack that occurred back in May, the latest of which being the US Department of Defense and Department of Justice.
According to a report by the Office of Personnel Management (OPM) seen by Bloomberg through a Freedom of Information Act request, threat actors accessed the email addresses of roughly 632,000 staff across both departments, as well as internal agency tracking codes and links to government employee surveys.
Those affected within the Department of Defense span the Army, Air Force, the Office of the Secretary of Defense, the Army Corps of Engineers and Joint Staff, as well as Defense Agencies and Field Activities.
While the data accessed has been classified by the OPM as of low sensitivity and not classified, it has also classed the attack as a whole as a major incident.
For those unaware of the initial incident, MOVEit is a file transfer service created by Progress Software and used by a number of major organisations and government agencies. There is a list of over 2,000 breach victims, including Shell, PwC, Fortesque, Medibank, the BBC, British Airways and more.
The threat group thought to be responsible for the breach, the Russia-based Clop ransomware group, gained access to data contained within MOVEit’s systems by exploiting a zero-day SQL injection vulnerability that, according to Microsoft, allowed the group to “authenticate as any user”.
“Progress has discovered a vulnerability in MOVEit Transfer and MOVEit Cloud that could lead to escalated privileges and potential unauthorised access to the environment,” Progress said in a security update.
While the vulnerability has since been patched, the initial access was all Clop needed to steal the data of thousands of organisations.
The Department of Justice and the Department of Defense are not the only government agencies affected, with the Department of the Energy being just one. At the time of the departments’ announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) said no military or intelligence agencies had been affected.
The fact that organisations are still getting newly named as victims of the MOVEit breach suggests that either information is being withheld from the public or, more likely, Clop is slowly rolling out data and requesting ransom from organisations over time.
Backing this concept, Clop sets strict and short dates for organisations to respond to ransom requests.
“You have 3 day to discuss price and if no agreement you custom page will be created … after 7 days all you data will start to be publication,” the group wrote previously.
“You chat will close after 10 not productive day and data will be publish.”
Clop said that users who pay will have their data deleted from the threat groups archives and that proof will be supplied.