In recent weeks, the US Federal government has come under a series of hacks that have been traced to Russian backed actors. These attacks are part of a larger string attacks all over the world and have shown that many of our institutions have not learned their lesson about cyber breaches.
In a series of attacks over the last few months, forty-seven different targets were compromised through an unknown exploit in a programming all the victims use. The program, called MOVEIt and developed by Progress software, allows for secure transfers between two parties via encryption and other file transfer software. However, in the last month, three vulnerabilities were identified, with one, CVE-2023-34362
Using a program called Lemurloot, hackers of the Russian backed group, ClOp, were able to exploit by tricking it into thinking the hackers were legitimate users. According to Mandiant, “LEMURLOOT is a web shell written in C# tailored to interact with the MOVEit Transfer platform. The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. Data returned to the system interacting with LEMURLOOT is compressed.” (1) As a result, Progress released an emergency patch to close this vulnerability, however not everyone has done it yet.
The victims of these breaches varied but perhaps the most well-known of these breaches was the US government. Specifically, two sites from within the Department of Energy were targeted, the Oak Ridge Associated Universities and the Waste Isolation Pilot Plant, the former being a research contractor with the Department, the latter dealing with nuclear waste disposal. It’s the third known time in as many years that foreign hackers have been able to break into multiple federal agencies and steal information. In 2020, hackers working for Russian intelligence broke into nine agencies by first hacking into software they used that was developed by a Texas company called SolarWinds. The next year, Chinese intelligence hackers broke into additional agencies through a remote work program called Pulse Secure.(2)
The Department of Energy was the big name in these hacks, but they were not the only ones. Domestically, The University System of Georgia,
The fact that the US government continues to be breached sends out a warning to other companies and private citizens that they are just as vulnerable to these hacks. The idea of low hanging fruit that is appealing to hackers is a constant danger in cyber security. Yet most people do not take it seriously and the result is millions in damages that may or may not be covered by insurance. Education, vigilance, and training are the keys to preventing bigger breaches in the future.