Dive Brief:
- Hackers have accessed data at the U.S. Department of Energy and other federal agencies, the Cybersecurity and Infrastructure Security Agency confirmed Thursday according to multiple news sources.
- DOE’s Waste Isolation Pilot Plant and agency partner Oak Ridge Associated Universities experienced breaches, according to a report by Federal News Network.
- CISA and the Federal Bureau of Investigation warned last week of vulnerabilities in data sharing software known as MOVEit, developed by Progress Software. The notice singled out Russia-linked ransomware group CL0P as potentially exploiting the software weaknesses.
Dive Insight:
The MOVEit hack exploited two previously known vulnerabilities, and highlights the need to keep systems current with software patches and security updates, according to a security expert.
“Many agencies falling victim to attacks today ... appear to be compromised due to the previously released vulnerabilities that had patches released on May 31 and June 9,” Tom Marsland, vice president of technology at Cloud Range, said in a statement. The company provides companies with cybersecurity training.
“This reiterates the need for a robust vulnerability management program and goes to highlight the importance of the basic fundamentals necessary in cybersecurity,” Marsland added.
DOE was also a victim of the SolarWinds hack in 2020. However, agency officials say the MOVEit vulnerabilities are a different situation.
“This is not a campaign like SolarWinds that poses a systemic risk,” CISA Director Jen Easterly told reporters Thursday, noting it was a more “opportunistic” attack. The SolarWinds attack was widely attributed to Russian state-backed hackers.
Oil giant Shell may also have been a victim of CL0P’s exploit.
The Waste Isolation Pilot Plant is a storage repository for nuclear waste. Oak Ridge Associated Universities was originally known as the Oak Ridge Institute for Nuclear Studies and has worked with DOE for decades on a wide range of issues.
CISA is “urgently focused on addressing risks posed by this vulnerability,” Easterly said. However, “it’s important to clarify the scope and nature of this campaign.”
Based on discussions with industry partners, Easterly said it does not appear the intrusions are being “leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information.”