Russia-Origin MOVEIt Supply Chain Attack May Have Netted US National Security-Sensitive Information
Were Clop ransomware attacks an “opportunistic” and purely criminal operation, or could espionage be a side benefit?
On Wednesday, June 14, 2023, the dark web leak site for Russia-based Clop (also known as Cl0p) ransomware operations began listing organizations it had breached with a supply chain attack exploiting flaws in the MOVEit file sharing tool that Progress Software developed. Clop actors claimed to have compromised hundreds of entities; the ever-expanding list includes organizations in the financial, insurance, local government, health and education sectors. The data exfiltration reportedly began around May 27, during the US Memorial Day holiday.
Clop operators reportedly breached not only private companies and state and local public organizations but also US government entities or contractors. These included a New Mexico company that disposes nuclear waste for the US Energy Department; the Oak Ridge Associated Universities, a scientific research consortium associated with the national nuclear research laboratories at Oak Ridge, Tennessee; the US Department of Agriculture; and the Office of Personnel Management (OPM), which manages information on US Government employees. (As a reminder, a massive breach of the OPM in 2015, which US officials have attributed to Chinese government hackers, netted sensitive records from security clearance background checks on over 20 million people).
The Clop hackers claimed that they would not release the data they had stolen from government entities, saying they had no interest in politics. With regard to the government victims, they wrote “we still do the polite thing and delete all.” However, their term “polite” itself raises suspicions; it evokes the ironic term “polite people,” referring to the troops in unmarked uniforms who took part in the seizure of Crimea from Ukraine in 2014.
The Washington Post cited US cybersecurity chief Jen Easterly on June 16 as saying this breach is not as bad as the Solar Winds espionage case of 2019-2020. She described the hackers as “largely opportunistic” in taking advantage of the MOVEIt tool’s vulnerability, and that the attackers did not apparently steal “specific, high-level information” from the victim entities. She said, "As far as we know these actors are only stealing information that is specifically being stored on the file-transfer application at the precise time that the intrusion occurred," Axios reported on June 15. A US cybersecurity official also said no evidence currently exists of Clop actors working with the Russian government, the Washington Post reported on June 16.. However, the fact that the ransomware operators had been testing MOVEit servers as early as July 2021 suggests a sophisticated and long-planned operation, rather than an opportunistic attack.
Even though US officials downplayed the incident’s severity, the US government also raised the possibility of Russian state backing; on June 16 the US State Department offered a $10 million bounty for “info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.” As mentioned above, the hackers’ use of the word “polite” evoked the Russian government’s use of anonymous military forces in their invasion of Ukrainian territory in 2014.
Further, even if the hackers kept their promise not to publicize the government data, it is possible that they used the stolen information for espionage, potentially sharing it with Russian intelligence services. In 2021, the REvil ransomware actors breached US nuclear weapons contractor Sol Oriens and threatened to leak the data “to military angencies (sic) of our choise (sic)." Also in 2021, unknown hackers breached Spanish cloud computing company Everis, which holds NATO information. In a note to transparency group DDOSecrets they wrote, “I hope they appreciate we just deleted all of Everis’ garbage instead of backdooring it or dropping it in the FSB securedrop,” referring to Russia’s Federal Security Service.
Threat actors who use the Clop ransomware include some groups that have sometimes carried out attacks that align with Russian strategic goals. Some researchers have linked Clop activity with groups labeled FIN11 or TA505. Some analysts associate TA505 with Evil Corp, a group the US Treasury Department has sanctioned for cooperating with Russian intelligence. Another group that has used Clop malware is FIN7, whose operations have included BadUSB, which targeted the US defense industry in 2021. Some researchers have linked FIN7 to groups that have carried out attacks on Western critical infrastructure and that have sometimes made statements of Russian patriotism, suggesting they have political, and not purely financial, motives. The groups thought to have had relationships with FIN7 include DarkSide, operators of the ransomware that wreaked havoc in eastern US gasoline supplies when used against Colonial Pipeline; Black Basta, a group that reportedly included personnel from the breakup of the Conti ransomware group, which did business with Russian intelligence services; REvil, a successor to the GandCrab ransomware whose operators explicitly called for targeting enemies of Russia; and ALPHV (a.k.a. BlackCat), a suspected rebrand of the DarkSide ransomware group, whose operators frequently target critical European energy infrastructure, in operations that align with Russian strategic priorities.
The victim data that Clop actors stole in the recent campaigns exploiting MOVEIt could certainly be useful to Russian intelligence agencies. In particular, two of the university targets potentially house sensitive data on biological, cyber and radiological threats. Johns Hopkins University houses the prime database on COVID-19 infections. (In 2020, Russian cybercrime forums sold a malicious version of JHU’s interactive coronavirus infection map, which would spread password-stealing malware to anyone who opened it). And the University System of Georgia includes the Georgia Institute of Technology, whose research institute houses a top US cybersecurity research center, including its Apiary malware analysis and repository platform. If the threat actors obtained access or credentials for these JHU and Georgia Tech databases, they would learn about US pandemic spread and response and about what Western researchers know about malware. In addition, the threat actors could use access to the above-mentioned nuclear waste contractor and ORAU systems to obtain information on nuclear researchers. At the very least, they could use personal information to obtain login credentials or sensitive health information to blackmail and potentially recruit scientists whose research supports US nuclear weapons capabilities.
Cybersecurity officials have published threat information and advisories for organizations that use the MOVEIt tool to detect the malware and patch the vulnerabilities the threat actors used. As for ordinary people whose data may have appeared in the leaks, experts say the top risk is that hackers and spammers could use the information to trick individuals into revealing more sensitive data such as bank information. Individuals should be suspicious of emails and phone calls that call on them to log in and verify their account or reset their password, especially if the message tries to panic readers into acting immediately.
The incident at Johns Hopkins Medicine affected 310,405 people, a Baltimore TV station reported on August 10 (https://www.wbaltv.com/article/johns-hopkins-data-breach-people-affected/44787414)