Global hacking campaign: Energy Dept., ORAU and other agencies hit by wave of cyberattacks

WASHINGTON – The U.S. Energy Department and other federal agencies were hit by a worldwide hacking campaign that appears to be part of a widespread and coordinated effort to exploit a vulnerability in widely used software.

One of those hit is Oak Ridge Associated Universities in Oak Ridge, Tennessee.

The U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, is providing support to the agencies "that have experienced intrusions," Eric Goldstein, CISA's executive assistant director for cybersecurity said in a release. The cyberattacks were first reported by CNN.

Goldstein said the intrusions affected the agency's MOVEit file transfer software, which encrypts files and uses secure File Transfer Protocols (FTPs), automation and analysis to transfer large volumes of data. “We are working urgently to understand impacts and ensure timely remediation.”

More: Hackers beware: Justice Department doubles down on efforts to thwart global cybercrime

It was not immediately clear, CNN reported, if the hackers responsible for breaching the federal agencies were a Russian-speaking ransomware group that has claimed credit for other victims in the hacking campaign.

ORAU responds

Contacted by The Oak Ridger, the local newspaper, an ORAU spokesperson offered this statement by email on Friday afternoon:

"Oak Ridge Associated Universities (ORAU) confirmed today (Friday) that it was one of many organizations across the country affected by the MOVEIt cyber incident.

"ORAU used a Progress Software tool called MOVEit to assist with the secure transfer of information. Progress Software discovered a flaw in their MOVEIt product that allowed unauthorized actors to exploit the software, resulting in access to files stored in the MOVEit secure file transfer system.

"We are properly coordinating with the Department of Energy, have secured our systems, and taken all appropriate measures in cooperation with the federal government and are working on proper notification to impacted parties."

US 'working urgently' to assess the damage

CISA Director Jen Easterly said that based on discussions CISA has had with industry partners in the Joint Cyber Defense Collaborative (JCDC), the intrusions are not being leveraged “to steal specific high value information—in sum, as we understand it, this attack is largely an opportunistic one.”

“In addition, we are not aware of CL0P actors threatening to extort or release any data stolen from U.S. government agencies,” Easterly said, referring to a ransomware gang. “Although we are very concerned about this campaign and working on it with urgency, this is not a campaign like SolarWinds that presents a systemic risk to our national security or our nation’s networks.”

SolarWinds is shorthand for one of the most damaging hacks of U.S. government agencies, which gave Russia the ability to infect or potentially spy on 16,000 computer systems worldwide. Russia was accused of infecting software with malicious code to execute the broad-scope cyber espionage campaign, and it led to broad sanctions against Moscow by the Biden administration after it was discovered in late 2020.

CISA first warned of the CL0P cyberattacks in a joint June 7 advisory with the FBI.

“We are currently providing support to several federal agencies that have experienced intrusions,” Easterly said. “We are working urgently to understand impacts and ensure timely remediation.”

A global wave of cyberattacks

The news was the latest development in recent days about widespread cyberattacks by sophisticated hackers.

The cybersecurity firm Mandiant posted new research and findings Thursday saying that suspected state-backed hackers in China had used a vulnerability in commonly used email security technology, Barracuda ESG appliances, to penetrate the networks of potentially hundreds of public and private sector organizations around the world.

Nearly a third of the victims were foreign ministries and other government agencies, the Mandiant report said.

Charles Carmakal, Mandiant's chief technical officer, described the current wave of intrusions as “the broadest cyber espionage campaign known to be conducted by a China-nexus threat actor since the mass exploitation of Microsoft Exchange in early 2021" that effected thousands of organizations.

"In the (current) Barracuda instance, the threat actor compromised email security appliances of hundreds of organizations," Carmakal said in a statement provided to USA TODAY. "For a subset of victims, they stole the emails of prominent employees dealing in matters of interest to the Chinese government."

Ransomware attacks target US government

On Wednesday, CISA and the FBI issued a joint Cybersecurity Advisory (CSA) with recommended steps to protect against what it described as the CL0P Ransomware Gang exploiting the technology vulnerability that breached several federal agencies.

Goldstein said CISA was in close contact with the software maker and the FBI "to understand prevalence within federal agencies and critical infrastructure." He urged impacted organizations to reach out to CISA via cisa.gov/report or its network of regional cybersecurity representatives.

Bryan Vorndran, assistant director of the FBI's Cyber Division, urged private sector organizations to implement the recommended steps, and to report suspected cyberattacks to local FBI field offices and CISA.

"While the FBI remains steadfast in our efforts to combat the ransomware threat at large, this is not a fight we can win alone," Vorndran said.

Cybersecurity and digital threats: Local governments are more vulnerable to cyberattacks than ever before. DHS wants mayors to step up.

Also Wednesday, CISA, the FBI and international counterparts issued a separate advisory about ransomware actors using LockBit, which they said was the most globally used and prolific Ransomware-as-a-Service in 2022 and 2023. Financially motivated hackers using LockBit, they warned, "have attacked organizations of various sizes across a wide array of critical infrastructure sectors."

The advisory, like other CISA warnings, included a host of technical details about the threat and the ways to identify and defend against it.

An international response to cyberattacks

Top cyberofficials from Australia, Canada and the United Kingdom weighed in on the LockBit threat and the international response to it.

“LockBit is one of the most prolific and disruptive ransomware variants, having been used by cybercriminals against multiple sectors and organisations worldwide, including in Australia,” said Abigail Bradshaw, head of the Australian Cyber Security Centre (ACSC). “With ransomware variants constantly evolving, this advice can help organisations strengthen and defend their networks.”

William “Hutch” Hutchison, former cyber exercise lead at US Cyber Command, told USA TODAY that the attack on U.S. federal government agencies "exposes the fragile nature of even the most mature institutions."

"The disruption to daily life for millions around the world and the threat to critical national infrastructure has intensified the need for government-grade cybersecurity in the wake of persistent state-based threats," said Hutchison, CEO of global cyber firm SimSpace. "If organizations and governments want to survive and succeed in the emerging cyber battleground, investing in cyber-security will be pivotal in negating the deadly reputational and financial disruption that will continue to rock the nation in 2023."

Hutchison said Mandiant’s revelation underscores the ever-present threat of attacks from China and other countries.

"The U.S. and our strategic allies are more sophisticated in their cybersecurity practices than most emerging nations, but we’ve got a long way to go," Hutchison said. "It’s not hard to compromise organizations and bring them to their knees."

Donna Smith, news editor for The Oak Ridger newspaper contributed to this story. You can follow her on Twitter @ridgernewsed and contact her by email at dsmith@oakridger.com. Support strong local journalism by subscribing at https://subscribe.oakridger.com/offers.

This article originally appeared on USA TODAY: Global hacking campaign: DOE, ORAU other agencies hit by cyberattacks