A Hydra intrusion centered on a U.S. software maker has compromised the data of some 600 organizations around the world, according to a tally of cyber analysts confirmed by Reuters.
But more than two months after Massachusetts-based Progress Software first disclosed the flaw, the number of victims has barely slowed down. Statistics show that nearly 40 million people have been affected by the hack of Progress’s MOVEit Transfer file management program to date. Now, the digital extortionists involved, a group called “cl0p,” are increasingly aggressively pushing their data into the public domain.
“We’re in the very, very early days,” said Marc Bleicher, chief technology officer at incident response firm Surefire Cyber. “I think we’re going to start seeing real impact and consequences.”
MOVEit is used by organizations to transfer large amounts of often sensitive data: pension information, social security numbers, medical records, billing data, etc. Because many of these organizations process data on behalf of other organizations, which in turn obtain it from third parties, hacks can spread outward in sometimes inexplicable ways.
For example, when cl0p compromised MOVEit software used by a company called Pension Benefit Information, which specializes in finding surviving family members of pension fund holders, they obtained data from the New York-based Teachers Insurance and Annuity Association , which manages the pension plans of 15,000 institutional clients, many of whom have been informing staff about their exposures over the past few weeks.
“It’s going to have a domino effect,” said John Hammond of Huntress Security, one of the first researchers to start tracking down the vulnerability.
Hacking by groups like cl0p happens with mind-numbing frequency. But the variety of victims of the MOVEit compromise ranged from New York public school students to Louisiana drivers to California retirees, making it one of the clearest examples of how a single flaw in an obscure piece of software can spark global privacy disaster.
Christopher Budd, a cybersecurity expert at British firm Sophos, said the breach was a reminder of how interdependent organizations’ digital defenses are.
Progress said it was the victim of “an advanced and ongoing cybercriminal group” with a focus on supporting customers.
‘Thousands of companies
The Cl0p hack began on May 27, according to two people familiar with Progress’s investigation.
Progress first learned of the breach the next day when a customer alerted the company to unusual activity, these sources said. The company issued a warning on May 30 and released a “patch” or fix the next day that partially thwarted the hackers’ campaign.
“In fact, many organizations were able to deploy the patch before it was exploited,” said Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency.
Not all organizations are so lucky. Details on the amount of material stolen or the number of organizations affected have not been made public, but Nathan Little, whose company Tetra Defense has responded to dozens of MOVEit-related incidents, estimates the breach may have affected thousands of companies.
“We may never know the exact detailed numbers,” he said.
Some analysts have tried to track this down. As of Sunday, cybersecurity firm Emsisoft had 597 victims and 39.7 million people affected.
German IT expert Bert Kondruss came up with similar figures, which Reuters confirmed by cross-checking with public statements, company documents and cl0p posts.
Who was exposed?
Educational organizations — colleges, universities, and even New York City public schools — accounted for a quarter of the victims, with Emsisoft and Kondruss counting more than 100 in the US alone.
This exposure has gone far beyond academia.
drive? The Louisiana and Oregon DMVs jointly disclosed the breach of approximately 9 million records. Are you retired? Pension administration organizations such as CalPERS and T. Rowe Price were compromised due to information on pension benefits. The data breach at US government contractor Maximus alone exposed the records of 8 to 11 million people.
A silver lining? Hackers may have ingested too much data to release it all.
Alexander Urbelis, a senior counsel at law firm Crowell & Moring in New York, said the slow download speeds of hackers’ battered darknet sites “are almost impossible for anyone to do.” – Whether in good faith or otherwise – “to access stolen data.”
U.S. official Goldstein said that “in many cases” the data had not been leaked.
Cl0p did not respond to Reuters messages, but it appears to be trying to improve its game. Late last month, it created a website specifically designed to better disseminate stolen data. Earlier this week, it began sharing data via a peer-to-peer network.
That’s bad news for victims, Surefire’s Bletcher said.
“Once this data starts slowly leaking out, it’s going to be more underground,” he said. In turn, the impact of the breach “could be much greater than we currently imagine”.
© Thomson Reuters 2023
Svlook
