(Reuters) – The U.S. Department of Energy and several other federal agencies were hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software, officials said yesterday.
Data was “compromised” at two entities within the energy department when hackers gained access through a security flaw in MOVEit Transfer, the department said in a statement.
A DOE official said those entities were the DOE contractor Oak Ridge Associated Universities, and the Waste Isolation Pilot Plant – the New Mexico-based facility for disposal of defense-related nuclear waste.
British energy giant Shell SHEL.L, the University System of Georgia, the Johns Hopkins University and the Johns Hopkins Health System were also hit, all three groups said in separate statements. The latter is a nonprofit that collaborates with the university and runs six hospitals and primary care centers.
The new victims add to a growing list of entities in the U.S., Britain and other countries whose systems were infiltrated through the MOVEit Transfer software. The hackers took advantage of a security flaw that its maker, Progress Software PRGS.O, discovered late last month.
The Russia-linked extortion group Cl0p, which has claimed credit for the MOVEit hack, earlier said in a statement that it would not exploit any data taken from government agencies, and that it had erased all such data. It did not immediately respond to a request for further comment.
The U.S. Cybsecurity and Infrastructure Security Agency (CISA) said it was helping several federal agencies that had been breached, but did not name them.
“At this time, we are not tracking any significant impacts to the federal civilian executive branch (.gov) enterprise but are continuing to work with our partners on this issue,” the agency said in a statement.
The energy department, which manages U.S. nuclear infrastructure and energy policy, said it had notified Congress of the breach and is participating in investigations with law enforcement and CISA.
A Shell spokesperson said there was no evidence of impact to Shell’s core IT systems from the MOVEit Transfer-related breach. “There are around 50 users of the tool, and we are urgently investigating what data may have been impacted,” she added.
Johns Hopkins also said it was “investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks.”
The University System of Georgia, which groups about 26 public colleges, said it was “evaluating the scope and severity of this potential data exposure” from the MOVEit hack.
Large organizations including the UK’s telecom regulator, British Airways, the BBC and drugstore chain Boots emerged as victims last week.
CISA did not immediately respond to requests seeking further comment. The FBI and National Security Agency also did not immediately respond to emails seeking details on the breaches.
A MOVEit spokesperson said the company had “engaged with federal law enforcement” and was working with customers to help them apply fixes to their systems.
Progress Software’s shares ended down 6.1% on Thursday. The company disclosed another “critical vulnerability” it found in MOVEit Transfer on Thursday, although it was not clear whether it had been exploited by hackers.
MOVEit Transfer is a popular tool used by organizations to share sensitive information with partners or customers. It could be used by a bank’s customers, for instance, to upload their financial data for loan applications, said John Hammond, a security researcher at Huntress.
“There’s a whole lot of potential for what an adversary might be able to get into,” he said earlier this month.