US energy department, other agencies hit in global hacking spree

WASHINGTON - The US Department of Energy and several other federal agencies were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software, officials said on Thursday.

Data was “compromised” at two entities within the Energy Department when

hackers gained access through a security flaw

in MOVEit Transfer, the department said in a statement.

An Energy Department official said those entities were the department’s contractor Oak Ridge Associated Universities and the Waste Isolation Pilot Plant – the New Mexico-based facility for disposal of defence-related nuclear waste.

British energy giant Shell, the Johns Hopkins University, the Johns Hopkins Health System and the University System of Georgia were also hit, they said in separate statements.

The new victims add to a growing list of entities in the United States, Britain and other countries whose systems were infiltrated through the MOVEit Transfer software.

The hackers took advantage of a security flaw that its maker, Progress Software, discovered late in May.

The Russia-linked extortion group Cl0p, which has claimed credit for the MOVEit hack, had said in an earlier statement that it would not exploit any information taken from government agencies, and that it had erased all such data.

It did not immediately respond to a request for further comment.

The US Cybersecurity and Infrastructure Security Agency (Cisa) said it was helping several federal agencies that had been breached, but did not name them.

“At this time, we are not tracking any significant impacts to the federal civilian executive branch (.gov) enterprise but are continuing to work with our partners on this issue,” the agency said in a statement.

The Energy Department, which manages US nuclear infrastructure and energy policy, said it had notified Congress of the breach and is participating in investigations with law enforcement and Cisa.

A Shell spokesman said there was no evidence of impact to Shell’s core IT systems from the MOVEit Transfer-related breach.

“There are around 50 users of the tool, and we are urgently investigating what data may have been impacted,” the spokesman added.

Johns Hopkins said it was “investigating a recent cyber security attack targeting a widely used software tool that affected our networks”.

The University System of Georgia, which groups about 26 public colleges, said it was “evaluating the scope and severity of this potential data exposure” from the MOVEit hack.

Large organisations, including Britain’s telecommunications regulator, British Airways, the BBC and pharmacy chain Boots emerged as hacking victims last week.

Cisa did not immediately respond to requests seeking further comment. The Federal Bureau of Investigation and National Security Agency also did not immediately respond to e-mails seeking details on the breaches.

A MOVEit spokesman said the company had “engaged with federal law enforcement” and was working with customers to help them apply fixes to their systems.

Progress Software’s shares ended down 6.1 per cent on Thursday. The company disclosed another “critical vulnerability” it found in MOVEit Transfer on Thursday, although it was not clear whether it had been exploited by hackers.

MOVEit Transfer is a popular tool used by organisations to share sensitive information with partners or customers.

It could be used by a bank’s customers, for instance, to upload their financial data for loan applications, said Mr John Hammond, a security researcher at Huntress.

“There’s a whole lot of potential for what an adversary might be able to get into,” he said earlier in June. REUTERS