In the latest cyber incident affecting the US federal government, two arms of the US Department of Energy (DOE) and, according to press reports, the US Department of Agriculture and the Office of Personnel Management, have been swept up in a sprawling spree of attacks by the Russia-based Clop ransomware gang.\n\nThe Clop organization is exploiting vulnerabilities in Progress Software\u2019s MOVEit Transfer security file transfer platform to attack dozens of public and private sector organizations worldwide. Progress disclosed the first flaw, a SQL injection vulnerability, on May 31. On June 9, Progress reported a second flaw, another SQL injection vulnerability, that "could lead to escalated privileges and potential unauthorized access to the environment.\u201d The company has issued patches for both flaws.\n\nThe Clop gang is generally considered to be a Russian cybercriminal group (ostensibly not operating at the behest of the Kremlin) and it operates with impunity inside Russia\u2019s border. However, the group\u2019s status as a non-state actor could be numbered given that the US State Department's Rewards for Justice program has announced up to a $10-million bounty for information conclusively linking the Clop ransomware attacks to a foreign government.\n\n\u201cI feel like this specific attack could be one of the largest cyberattacks that we've had in quite a while, if not the largest that we've experienced,\u201d Demetrice Rogers, cybersecurity specialist and adjunct professor at Tulane University, tells CSO. \u201cThere are a lot of users of the MOVEit file transfer software, a lot of government organizations, a lot of private organizations and state governments,\u201d so there\u2019s no telling how many ultimate victims there are. Progress Software says thousands of enterprises, including 1,700 software companies and 3.5 million developers, use MOVEit.\n\nAn unknown number of agencies have been affected\n\nIn a press briefing last week, Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency (CISA), said these \u201copportunistic\u201d agency attacks had not had \u201csignificant impacts\u201d on government enterprise. Easterly said her agency was unaware that the Clop threat actors had threatened to extort or release any data stolen from government agencies at that time.\n\nHowever, more recent reports suggested that the two DOE facilities, Oak Ridge Associated Universities and DOE\u2019s Waste Isolation Pilot Plant near Carlsbad, New Mexico, had received ransom demands. These ransom demands run counter to Clop\u2019s contention that they delete any data stolen from governments.\n\nDuring the press briefing, one senior administration official said that after issuing a joint advisory with the FBI containing recommending actions and mitigations to address the MOVEit vulnerability, \u201dwe quickly moved to drive national mitigation efforts, including by adding this vulnerability to our known exploited vulnerability catalog, thereby establishing a mandate for federal agencies to mitigate and sending a strong signal to the broader cybersecurity community.\u201d\n\nThe official also said that the federal government is moving quickly to address other file-sharing applications and is \u201cworking with the broader technology community to ensure that every product has the appropriate security controls and design features to reduce the likelihood and prevalence of these kinds of intrusions.\u201d\n\nCISA says no evidence of impact on US military or intelligence \n\nCISA is not \u201cgoing to disclose the identity of any other impacted agencies or victims\u201d at this time, the official said. Still, the agency is \u201cnot aware of any impact to military branches or the IC at this time.\u201d The attacks on the agencies occurred in the window between when the MOVEit flaw was announced and the agencies implemented patches. \u201cAt this point, we are not aware of any federal agencies that are running unmitigated instances of the MOVEit application.\u201d\n\nThe official warned that \u201cEvery organization that is running this product across the country should have implemented the appropriate patch, and if they have not yet done so, they need to do so with all urgency, and CISA will continue amplifying the importance of these mitigations both nationally and through our regional teams to continue to drive mitigation and reduce the risk.\u201d Meanwhile, \u201cacross the federal civilian executive branch, we are working with agency CIOs and CISOs to ensure that we understand any impacts and that appropriate actions are being taken in response.\u201d\n\nOther government and business organizations have been exploited\n\nIn addition to the US federal government, at least two state governments have been hit with Clop attacks, including the State of Oregon, which revealed that a MOVEit breach in its Department of Motor Vehicles system affected 3.5 million Oregonians with driver\u2019s licenses or state ID cards. The State of Louisiana said that six million records were affected by a MOVEit-related breach of its Office of Motor Vehicles.\n\nThe Minnesota Department of Education said the personal information of 95,000 students was breached in a Clop exploitation of MOVEit. In Canada, the government of Nova Scotia announced it had suffered a breach in its MOVEit application.\n\nLast week Clop released a list of its victims on its leak site, which names several US banks and universities. Many other private sector organizations across the globe, including the BBC, British Airways, drugstore giant Boots, and Shell are among the targets hit by the recent Clop attacks\n\nAttacks are tied to a broader trend of data weaponization\n\nAdam Meyers, senior vice president of intelligence at CrowdStrike, tells CSO that this recent spree by Clop \u201cis tied to the broader activity we're seeing of data weaponization, and data weaponization is something that has been driving a lot of these criminal actors.\u201d He noted that his firm has found that 18% to 20% of ransomware attackers don\u2019t even bother to demand ransoms anymore, jumping straight to data extortion instead. \u201cWhen you think about these file transfer utilities that they've been hitting, it factors nicely into that broader trend of data extortion.\u201d\n\n\u201cI would say that you could probably expect to see more of that, not less of that,\u201d Meyers says, \u201cbecause these file transfer sites represent a good opportunity for these threat actors to start stealing sensitive information and then extort the victim.\u201d\n\nWhen will the federal government know more?\n\nRegarding why the federal government isn\u2019t divulging a list of agencies hit by the Clop gang, Meyers said: \u201cThe government, like many industries and organizations, has a visibility challenge. They know where they know they have it, but they don't know where they don\u2019t have it.\u201d Moreover, \u201cthe government isn't one monolithic infrastructure. Agencies will have sub-infrastructures, field offices, and teams doing different stuff as part of their job. As a result, they may have set up their own infrastructure for file transfer stuff.\u201d\n\nTulane\u2019s Rogers says, \u201cI have a feeling that Clop will post more organizations on their dark web leak site over the next several days. So, if the federal government doesn't soon divulge more information on how many government agencies have been hit,\u201d the Clop gang likely will.\n\nClop attacks could increase with new flaws\n\nClop\u2019s exploitation of MOVEit flaws may just be beginning. On top of the original vulnerabilities that led to the current round of attacks, Progress announced it had discovered a third vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment. The company issued a patch for this bug after a proof-of-concept for the flaw was released by a researcher who goes by the handle MCKSys Argentina. Progress warns that it is \u201cextremely important\u201d that all MOVEit customers take immediate action to address the issue.