Russian Ransomware Group Launched A Series of Cyberattacks on Federal Agencies of the US

Post Views: 270

According to the leading cybersecurity organization in the United States, there is no proof that the organization was acting in concert with the Russian government.

U.S. officials reported on Thursday that a Russian malware gang had gotten access to information from federal institutions, notably the Energy Department, through an attack that used file transfer software to collect and resell users’ data.

The intrusion, according to Jen Easterly, chief of the Agency for Cybersecurity and Infrastructure Security, was primarily “opportunistic” and wasn’t targeted at “specific high-valuable information” or caused as much damage as other cyberattacks on U.S. government organizations.

“Although we are extremely worried about this marketing effort, this is not a campaign, such as SolarWinds, that brings a systemic risk,” Ms. Easterly told reporters on Thursday, alluding to the significant hack that exposed numerous U.S. intelligence agencies in 2020.

The Energy Department announced on Thursday that a couple of its entities’ data had been breached. The department claimed it had informed Congress and the C.I.S.A. about the intrusion.

Chad Smith, the deputy press secretary for the Energy Department, stated that “D.O.E. implemented immediate measures to stop additional exposure to the vulnerability.”

The State Department and F.B.I. representatives refused to elaborate on whether their organizations were impacted.

According to an evaluation by C.I.S.A. and F.B.I. investigators, Easterly said, the breach was a component of an extensive ransomware activity executed by Clop, a Russian ransomware gang that assaulted a variety of local governments, universities, and businesses using a vulnerability in the software MOVEit.

Public figures in Illinois, Nova Scotia, and London revealed previously this month that they were amongst the software users impacted by the hack. The BBC and British Airways both claimed to be impacted by the leak. Similar remarks on the attack have been made by Johns Hopkins University, the University System of Georgia, and the European oil and gas firm Shell.

Only a few federal agencies, according to a senior C.I.S.A. officer, were impacted, but he or she would not say which ones. However, the official went on to say that preliminary information from the private sector indicated that at least a hundred companies and associations had been impacted. The official discussed the attack while requesting anonymity.

NASA, the Treasury Department, the Department of Health and Human Services, and several divisions of the Defense Department are just a few of the government organizations that have bought the MOVEit software, in accordance with data gathered by the company GovSpend. However, it was unclear how many organizations were using it right away.

On its website, Clop previously accepted liability for the previous wave of breaches.

The group claimed it had “no interest” in employing any data obtained from law enforcement or governmental institutions, and it had erased it in favor of just using data obtained from businesses.

The president of the cybersecurity company Cloudera Government Solutions, Robert J. Carey, highlighted that information taken in attacks with ransomware could simply be sold to other criminals.

Anyone utilizing this, he warned, pointing to the MOVEit program, “is probably infected.”

CNN had previously reported on the discovery that federal departments were also among those impacted.

Progress Software, the company that owns MOVEit, said the latter had “involved with the government’s law enforcement and other organizations” and would “combat ever-more sophisticated and relentless cyber intruders motive on fraudulently taking advantage of flaws in commonly utilized software products.” The corporation discovered the software flaw in May, released a fix, and on June 2, the C.I.S.A. added it to its online database of known vulnerabilities.

When asked if there was any indication that Clop was working along with the Government of Russia, the C.I.S.A. official responded that there was none.

The MOVEit attack is yet another instance of government organizations succumbing to coordinated criminal activity by Russian gangs, as ransomware attacks frequently shut down crucial civilian infrastructure, such as hospitals, electricity networks, and city services, while targeting Western targets.

As recently as 2021, when a Russian ransomware campaign damaged as many as 1,500 organizations worldwide, it appeared that some operations were solely motivated by money.

However, with the implicit sanction of the Russian government, Russian ransomware organizations have also recently participated in purported political operations, focusing on nations that have backed Ukraine since the Russian invasion last year.

Shortly after the Russian takeover of Ukraine, a second Russian gang, Conti, launched ransomware assaults against 27 Costa Rican official institutions, prompting the president to issue a national state of emergency.

Before the conflict in Ukraine, cyberattacks coming from Russia had become a source of friction between the United States and Russia. When President Biden met with Russian President Vladimir V. Putin in 2021, the matter was at the forefront of the White House’s priority list.

A few weeks before Mr. Biden and Mr. Putin met, a ransomware assault on one of the main gasoline pipelines in the United States by an organization thought to be in Russia compelled the pipeline’s administrator to reimburse $5 million in order to retrieve its stolen data. Federal officials then claimed that a cyber operation helped them retrieve a large portion of the money.

Additionally, on Thursday, researchers at the cybersecurity company Mandiant discovered an attack against the email security service Barracuda Networks that they claimed appeared to be the result of Chinese espionage. The ASEAN Ministry of Foreign Affairs and the foreign trade offices in Hong Kong and Taiwan were among the several governmental and business institutions that were impacted by this breach, according to Mandiant’s assessment.

About The Author:

Yogesh Naager is a content marketer that specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.