The Cybersecurity and Infrastructure Security Agency (CISA), the country's top civilian-operated cybersecurity watchdog overseen by the Department of Homeland Security, reported the cyberattack on Thursday, June 15. (Related: Cybersecurity official warns: Americans must prepare for CYBERATTACKS from Chinese hackers.)
CISA confirmed that it was providing support to several federal agencies "that have experienced intrusions affecting their [file transfer] applications."
"We are working urgently to understand impacts and ensure timely remediation," said CISA in a statement.
The hackers exploited a vulnerability in the file-sharing program MOVEIt Transfer, a popular tool used by government agencies to transfer files quickly.
In an interview, CISA Director Jen Easterly claimed the agency was tracking the hackers "as a well-known ransomware group," without going into specifics.
A cybercriminal organization known as CLop later claimed credit for the hack. The group, active since at least 2014 and is believed to operate within Russia with the tacit approval of Russian intelligence services, may have conducted the cyberattack in response to a warning by CISA and the Federal Bureau of Investigation advising CLop against exploiting previously unknown vulnerabilities in MOVEIt.
In a rapid hacking spree, the group used the flaw to steal files from at least 47 organizations and demand payment not to publish them online.
"They've started releasing some of the data that was stolen as part of their work to extort these companies," said Anne Neuberger, deputy national security advisor for cyber and emerging technology for the National Security Council. She noted that the hackers attacked companies across the world, moving "large files" into their databases.
"We strongly encourage anyone who was a user of the software to, of course, patch [the vulnerability] and lock down their systems," Neuberger added.
Some organizations have already admitted to being potentially attacked by CL0p. Johns Hopkins University said in a statement that it was "investigating a recent cybersecurity attack … that affected our networks."
The University System of Georgia, which includes about 26 public colleges, said it was similarly "evaluating the scope and severity of this potential data exposure."
Multinational energy company Shell admitted that it was targeted, but claimed there was no evidence that the cyberattack impacted the company's core IT systems.
Other notable victims include British media outlet BBC and British Airways.
Brett Callow, a cyber threat analyst with New Zealand-based computer security firm Emsisoft, warned that "a number of as yet unidentified U.S. government agencies" were also hacked.
It is still not known just how many federal agencies were compromised. But the Department of Energy has admitted that two of its contractors were attacked by the hackers.
A spokesperson for the Energy Department claimed the affected entities were Oak Ridge Associated Universities, a research organization made up of a consortium of universities; and Waste Isolation Pilot Plant, a New Mexico-based facility for the disposal of defense-related nuclear waste.
The spokesperson added that, as of press time, there is no indication that any of the Energy Department's branches working for the military or the intelligence community were impacted.
"This is not a campaign like Solar Winds that presents a systemic risk to our national security or our nation's networks," said the spokesperson, referring to a disruptive cyberattack in 2020 that was traced to Russian military-backed hackers.
No federal agencies have received any extortion demands from CL0p, and no federal data has been leaked to the public.
Easterly noted that the government right now is "focused specifically on the federal agencies that may be impacted" and is working hand-in-hand with CISA to mitigate the risk.
This is the third time in as many years that foreign hackers have been able to break into multiple federal agencies and get their hands on government data, although it still isn't immediately clear to the public whether the hackers in this cyberattack were able to obtain classified or otherwise sensitive files.
The 2020 attack, suspected to be of Russian origin, resulted in at least nine federal agencies being broken into. In 2021, Chinese intelligence-linked hackers broke into several federal agencies by exploiting a vulnerability in a remote work program.
Learn more about cyber attacks and other cybercrime and hacking incidents at CyberWar.news.
Watch this video warning about how one sophisticated cyberattack could be enough to bring down Europe's banking system.