At least 100,000 people could have had their data compromised by a hack of contractors at the Department of Health and Human Services, a department official said Thursday, making it the latest US government agency to be caught up in a sweeping cyberattack connected to Russian cybercriminals.
HHS notified Congress of the breach on Tuesday and will update lawmakers as the investigation continues, the official said. Agencies are required to notify Congress of a data breach that involves the compromise of personal information of 100,000 or more people.
“While no HHS systems or networks were compromised, attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third-party vendors,” the official told CNN.
MOVEit is the popular file-transfer software that suspected Russian cybercriminals have exploited in recent weeks to compromise scores of companies, schools and government agencies in the US and abroad. US firm Progress Software, which makes MOVEit, issued a security update for the software but the hackers had a few days’ head start in getting into systems.
CNN first reported that several US agencies were affected by the MOVEit vulnerability, a list that includes the Department of Energy, Office of Personnel Management and US Department of Agriculture.
Bloomberg News first reported that HHS was affected.
Federal officials have blamed the hacking campaign exploiting the software on a Russian-speaking group known as CLOP. The hackers are generally stealing data from victims rather than encrypting their computers with ransomware and using the stolen data to make extortion demands.
CLOP’s impact on federal agencies has been limited, officials say, but elsewhere millions of Americans have had their personal data accessed. Motor vehicle departments in Louisiana and Oregon, and California’s public pension fund have all had data stolen.
Big-name victims or targets of the hack have continued to emerge.
A spokesperson for Siemens Energy told CNN on Tuesday that the company was “among the targets” of the hack, but that “no critical data has been compromised and our operations have not been affected.”
The University of California Los Angeles had its MOVEit platform hacked on May 28, a university spokesperson told CNN on Tuesday. “This is not a ransomware incident,” the spokesperson said. “There is no evidence of any impact to any other campus systems.”
The hackers have been known to demand tens of millions of dollars in ransom in previous campaigns. But they are publishing a lot of the data stolen through the MOVEit hacks on their dark-web extortion site – a sign that some efforts to extract ransoms have failed.
Some victims have paid the hackers, Charles Carmakal – an executive at Mandiant Consulting, a Google-owned firm hired by some victims to respond to the hacking – previously told CNN. It’s unclear how many of the victims have paid off the hackers or how much they have paid. Carmakal and others have declined to comment on that.
But even a handful of victims with high payouts can be profitable and fuel future hacks.
“We have many active forensic investigations involving this vulnerability involving data theft and extortion with unusually high ransom demands,” Shane Sims, a former supervisory special agent at the FBI who is now CEO of cybersecurity firm Kivu Consulting, told CNN. “Victims span the US and UK, and include the financial, industrial, legal, health care and technology sectors.”