A Russian-speaking hacking group gained access to the email addresses of approximately 632,000 US federal employees at the Department of Defense and the Department of Justice during the MOVEit hack last summer, according to a report obtained through a Freedom of Information Act request. The report, issued by the US Office of Personnel Management, reveals new information about the cyberattack that exploited vulnerabilities in MOVEit, a widely used file-transfer tool. While federal cybersecurity officers previously acknowledged that government agencies were affected by the attack, little information has been provided about the scale of the attack or the specific agencies impacted.
According to a report submitted by the Office of Personnel Management to a congressional committee in July, an unauthorized actor obtained access to government email addresses, links to government employee surveys administered by OPM, and internal OPM tracking codes. The affected employees were from the Department of Justice and various divisions of the Defense Department, including the Air Force, Army, US Army Corps of Engineers, the Office of the Secretary of Defense, the Joint Staff, Defense Agencies, and Field Activities.
The Office of Personnel Management described the hack, which occurred on May 28 and May 29, as a “major incident.” However, it also stated that there was no reason to believe it posed a significant risk and that the compromised data was generally of low sensitivity and not classified.
The Department of Justice and the Department of Defense have not yet responded to requests for comment.
Several other US agencies have confirmed being affected by the MOVEit breach, including the Department of Health and Human Services, the Department of Agriculture, and the General Services Administration. The Energy Department received ransom demands from the hackers after two of its entities fell victim to the intrusion.
The attack has been attributed to a hacking group called Clop or Cl0p. According to Brett Callow, a threat analyst at cybersecurity firm Emsisoft, over 2,500 organizations have been impacted. Among the victims are Maximus Inc, a government services provider, and the Louisiana Office of Motor Vehicles.
The eight-page report, submitted to the House Science, Space and Technology Committee, disclosed that hackers exploited vulnerabilities in the MOVEit file transfer program used by vendor Westat Inc, which OPM employs to conduct Federal Employee Viewpoint Surveys. However, the report states that there is no indication that any unauthorized user accessed the survey links.
The parent company of MOVEit, Progress Software Corp, stated that it has taken measures to mitigate the impact of the cyberattack. The company also expressed sympathy for affected users and a commitment to collaborating in an industry-wide effort to combat cybercriminals.
Westat, the vendor involved in the attack, stated that it conducted an extensive investigation and worked with third-party specialists to assess system security and minimize the likelihood of future incidents.
– Bloomberg