View of the US Pentagon showing MOVEit data breach

More Fallout From MOVEit Data Breach Documented: 632,000 Emails From US Departments of Defense and Justice Accessed by Russian Hackers

The summer’s MOVEit data breach was known to impact some federal agencies, but more details about the extent of the damage are now available. The breach saw about 632,000 emails from the Departments of Defense and Justice accessed by a criminal hacking group based in Russia, in addition to already-documented personal information leaks at some 1,000 companies.

This is the first time that the specific impacted agencies have been named, or more details provided about the expected amount and type of files that were leaked from the federal government. Private companies holding federal information were impacted by the MOVEit data breach, however, such as a contractor that leaked hundreds of thousands of Medicare files.

Russian criminals nab massive haul of confidential info in MOVEit data breach

The MOVEit data breach has been attributed to Cl0p, one of the more prominent ransomware gangs at present. The group broke from its usual deployment of ransomware with this breach, however, seemingly content to steal valuable data while staying under the radar and then emerge over the summer with extortion demands via its dark web portal.

The new information about federal government leaks comes from an internal report prepared by the Office of Personnel Management (OPM), which was obtained by Bloomberg via a Freedom of Information Act (FOIA) request. The report indicates that the email accounts accessed during the MOVEit data breach were not classified and contained information characterized as “generally of low sensitivity” and not a systemic risk to national security. The Defense Department said that accounts from the Air Force, Army, U.S. Army Corps of Engineers, the Office of the Secretary of Defense, the Joint Staff, Defense Agencies and Field Activities were accessed by the hackers.

Corey Brunkow, Dir of Eng Operations at Horizon3.ai, expects to see even “low sensitivity” information leveraged in future attacks: “All of this information in aggregate along with email addresses are perfect start points that basic hackers can use to generate a password spraying campaign at scale. Username = email address, Password = the 10,000 most used passwords tuned to be modified with data from these lists of “low sensitivity data”. Mandatory password changes for ALL tools configured with usernames consisting of these email addresses is likely a full day’s work for everyone involved, and if not managed properly with follow-up password audits could lead to future compromise of other capabilities.”

The contents of the email addresses included agency tracking codes and internal surveys administered by OPM, but the report did not provide any further detail on what was compromised. Erich Kron, security awareness advocate at KnowBe4, notes: “While the group promised to delete information related to governments, cities or police departments, it seems highly unlikely that this group is to be trusted. While they may not leak this information publicly, it could be of great interest to other nation states looking to gather intelligence on American citizens or government agencies, potentially offering them a source of income, if willing to sell the information to these entities.”

Most of the MOVEit data breach took place in late May, and publisher Progress had patched out the initial issues as of May 31 and issued follow-up patches for new critical vulnerabilities in early October. However, these patches must be applied manually and a substantial amount of organizations are thought to have not yet put them in place. Organizations continue to be vulnerable to hackers until they fully patch the issue out.

Those that continue to harbor the vulnerability may meet the same fate as numerous other organizations that have had their data dumped by Cl0p. The group responds to refusal to pay its ransom demands by packaging the stolen data in large download archives that are available on the “clearweb,” or via any standard web browser.

Cl0p rampage proves lucrative as group shifts to stealth tactics

The MOVEit data breach windfall has been estimated at as high as $100 million for Cl0p, and there is probably more to come given patching delays. Most of MOVEit’s client base consists of large enterprise-scale companies with at least 10,000 employees, and the company has boasted of having most of the Fortune 500 as customers. Research by security firm Emsisoft indicates that more than 2,500 companies were impacted as of last month and the personal data of 67 million individuals in total had been stolen.

MOVEit is not yet seeing serious financial damage from the breach; the company recently reported spending just under $1 million on recovery to date, and posting a quarterly income of $175 million. However, the company now has at least five major class action lawsuits hanging over its head. Attorneys handling the suits are accusing the company of breach of contract and negligence, noting that the vulnerability that Cl0p exploited had existed since 2021. They also say that the company has not yet done anything to improve its cybersecurity to a point that would ensure something similar does not happen again. It is too early to predict any outcomes, but cases with circumstances similar to the MOVEit data breach have resulted in judgments in the hundreds of millions of dollars.

More details about the MOVEit data breach are likely forthcoming when the company files its 10-Q report for Q4. Numerous clients have already stepped forward to self-report damage from their own breaches, however. State health plans and retirement systems seemed to take a great deal of the damage, with Oregon losing 1.7 million health records and California losing 1.2 million records of former employees in the CalPERS and CalSTRS retirement systems. A breach of contractor Maximus also exposed the records of about 600,000 Medicaid recipients. But the largest single breach documented thus far is HCA Healthcare, which has some 180 hospitals across the US and UK and had about 11 million patient records exposed.

Emily Phelps, Director at Cyware, thinks that patching will not completely solve the issue at this point: “MOVEit transfer attacks have impacted organizations across industries and sectors. While a layered security approach – multifactor authentication, regular patches and updates, intrusion detection and prevention systems, etc. – play a major role in defense, we must enable organizations to adopt more proactive cybersecurity methods. Organizations need a combination of human expertise and advanced technology that can play well together in order to outpace well-coordinated adversaries. They must also be enabled to connect the dots between disparate tools and tech and team silos so the right intelligence gets into the right hands to take the right actions.”