Cl0p Ransomware Gang Hits Department of Energy in Mass Exploit of MOVEit Vulnerability

Date:

June 15, 2023

World map

The Russian-linked Cl0p ransomware gang is actively exploiting a patchable vulnerability in the MOVEit file transfer software to compromise multiple targets, including the US Department of Energy, according to reports.

“While the exact number of victims remains unknown, Clop on Wednesday listed the first batch of organizations it says it hacked by exploiting the MOVEit flaw,” TechCrunch reports.

“The victim list, which was posted to Clop’s dark web leak site, includes U.S.-based financial services organizations 1st Source and First National Bankers Bank; Boston-based investment management firm Putnam Investments; the Netherlands-based Landal Greenparks; and the U.K.-based energy giant Shell.”

Additionally, CyberScoop’s Christian Vasquez reports that the US Department of Energy has confirmed that "records from two DOE entities were compromised" by Cl0p attacks leveraging the MOVEit vulnerability exploit.

Takeaway: The mass exploitation of the MOVEit file transfer vulnerability by the Cl0p ransomware gang closely follows their success earlier this year in conducting the mass compromise of more than 100 organizations leveraging a vulnerability in another file transfer program called GoAnywhere.

Whether or not Cl0p has been successful in effectively monetizing these compromises to collect the ransom demands is still unclear. While the earlier attacks did not elicit much of a response from the US government aside from some FBI/CISA joint alerts, the prospect that Cl0p has trained its sights on critical infrastructure targets - namely the Department of Energy - will certainly prompt Federal authorities to ramp up their efforts against these operators.

And while the potential for widespread disruptions to the energy sector is cause for serious concern, the possibility that sensitive records at the agency may have been accessed or exfiltrated raises the stakes tremendously. The DoE not only regulates the nation's power grids, it is also the agency that manages most of our nuclear capabilities.

We know that groups like Cl0p are closely aligned - if not directly controlled to a degree - by the Russian government and intelligence apparatus, and we know the Putin regime is under pressure as their invasion of Ukraine continues to falter. Given the level of support, the US is providing to Ukraine, along with other Western nations, it should not come as a surprise that they may start targeting our critical infrastructure - and some recent attacks in Germany and the UK may be linked as well.

That said, the Russians need to be very cautious about how they conduct such attacks so they don't trigger an international incident that would elicit a direct response from the US or their allies. Using ransomware gangs like Cl0p as a proxy to conduct the attacks in order to maintain plausible deniability and thwart attribution is likely the strategy here. This is one of the key reasons cyber operations have become such an important aspect of larger geopolitical issues - attribution is hard.

Also of note, both of these campaigns by Cl0p (GoAnywhere/MOVEit) are strong evidence that these ransomware operators are increasingly using automation to identify exposed organizations that may not have had the time or resources to patch against known vulnerabilities.

Given how readily Cl0p is compromising targets, it is likely they have successfully exfiltrated large amounts of confidential information from the victims, and other targets may experiencing data loss as a precursor to the detonation of a ransomware payload at this very moment, and they don't even realize they are in the midst of a major cyberattack.

Today's ransomware attacks often have a long tail and can involve weeks or even months of effort by attackers to infiltrate the target network. But so far this year, Cl0p is demonstrating over and over that it only takes one vulnerability on one key piece of software to make hundreds of organizations easy targets for automated attack sequences. The attackers have upped their game - we need to respond in kind through a focus on resilience.  

We will never be able to stop ransomware attacks, but we can stop them from being successful by arresting the attack at ingress or lateral movement; by preventing data exfiltration; by blocking execution of the ransomware payload; by rapidly recovering systems and minimizing downtime.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.