Senior government officials are racing to limit the impact of what’s believed to be a global cyberattack affecting U.S. federal agencies and allies, including NATO member countries.
The Cybersecurity and Infrastructure Security Agency (CISA) confirmed in a statement Thursday that it was providing support to “several federal agencies “that have experienced intrusions affecting their [file transfer] applications.”
“We are working urgently to understand impacts and ensure timely remediation,” the statement continued.
One cybersecurity expert characterized the breach as one of the largest theft and extortion events in recent history. Victims include Johns Hopkins University, the University of Georgia, the BBC and British Airways.
Cybersecurity experts say the hacking gang has been active since at least 2014 and is believed to operate from Russia with the tacit approval of Moscow’s intelligence services. CISA Director Jen Easterly identified the hackers as CLOP Ransomware.
“They’re basically taking data and looking to extort it,” Easterly said.
Brett Callow, a cyber threat analyst with Emsisoft, told CBS News that there were 47 confirmed victims so far, “plus a number of as yet unidentified U.S. government agencies.” He added that CLOP claimed “hundreds of organizations have been impacted.”
CLOP works by seizing sensitive data and holding it for ransom, threatening “after 7 days your data will start to be published.” It’s exploiting a vulnerability in a software program called MoveIt Transfer, which is widely used to transfer data.
A CISA analyst note described CLOP as a ransomware variant that uses a double extortion ransomware strategy. The cybercriminal gang steals the information before encrypting it and then demands a ransom to head off the leaking of that information on CLOP’s ransomware site.
At this point, Easterly says the government is “focused specifically on the federal agencies that may be impacted” and is “working hand-in-hand with them to mitigate the risk.”
“We understand there are businesses, though, around the world,” she added.
Researcher Bret Callow says victims also include banks and credit unions.
The FBI and CISA warned last week that in late May, a ransomware gang began exploiting a vulnerability in a the file-sharing software MoveIt Transfer.
The FBI declined to comment, but referred CBS News to the security advisory about MoveIt, which also encouraged private sector partners to implement recommended measure to protect themselves from the ransomware and to report any suspicious cyber activity to local FBI offices and CISA.
Nicole Sganga and Robert Legare contributed to this report.