Several U.S. federal government agencies have been hit in a global hacking campaign that exploited a vulnerability in widely used file-transfer software, the nation’s cyber watchdog agency said on Thursday.
The statement by the Cybersecurity and Infrastructure Security Agency (CISA) added to a growing list of entities in the U.S., UK and other countries whose systems were infiltrated through the MOVEit Transfer software. The hackers took advantage of a security flaw that its maker, Progress Software, discovered late last month.
“We are working urgently to understand impacts and ensure timely remediation,” Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a statement.
CISA did not identify the U.S. agencies hit or detail the impact on them.
British energy giant Shell, the Johns Hopkins University, the Johns Hopkins Health System and the University System of Georgia were also hit, they said in separate statements.
Shell spokeswoman Anna Arata said MOVEit Transfer is used by “a small number” of Shell employees and customers.
“There is no evidence of impact to Shell’s core IT systems,” she said. “There are around 50 users of the tool, and we are urgently investigating what data may have been impacted.”
Johns Hopkins said it was “investigating a recent cybersecurity attack targeting a widely used software tool that affected our networks, as well as thousands of other large organizations around the world.”
The University System of Georgia, which groups about 26 public colleges, said it was “evaluating the scope and severity of this potential data exposure” from the MOVEit hack.
Large organizations including the UK’s telecom regulator, British Airways, the BBC and drugstore chain Boots emerged as victims last week.
The UK telecom regulator said hackers stole data from its systems, while the personal information of tens of thousands of employees of British Airways, Boots and the BBC was also exposed.
CISA did not immediately respond to requests seeking further comment. The FBI and National Security Agency also did not immediately respond to emails seeking details on the breaches.
The United States does not expect any “significant impact” from the breach, CISA Director Jen Easterly told MSNBC.
MOVEit is typically used by organizations to transfer files between their partners or customers. A MOVEit spokesperson said the company had “engaged with federal law enforcement” and was working with customers to help them apply fixes to their systems.
New Vulnerability Found
Progress Software’s shares ended down 6.1% on Thursday. The company disclosed another “critical vulnerability” it found in MOVEit Transfer on Thursday, although it was not clear whether it had been exploited by hackers.
The online extortion group Cl0p, which has claimed credit for the MOVEit hack, has previously said it would not exploit any data taken from government agencies.
“IF YOU ARE A GOVERNMENT, CITY OR POLICE SERVICE DO NOT WORRY, WE ERASED ALL YOUR DATA,” the group said in a statement on its website.
Cl0p did not immediately responded to a request for comment.
John Hammond, a security researcher at Huntress, said MOVEit is used to transfer sensitive information, such as by bank customers to upload their financial data for loan applications.
“There’s a whole lot of potential for what an adversary might be able to get into,” he said earlier this month.