Clop ransomware MOVEit attacks exposed email addresses of 632,000 Pentagon & DoJ employees

An internal Pentagon report has revealed that the email addresses of 632,000 Department of Justice and Pentagon staff are compromised. This follows May’s attacks by the Russian-speaking Clop ransomware group that exploited a vulnerability in the MOVEit file-transfer app.

Several key US government agencies were among the victims. Reports suggest these include the Air Force and Army as well as the Office of the Secretary of Defense.

The Office of Personnel Management (OPM) report, obtained by Bloomberg using the Freedom of Information Act, described this as a major incident. However, it concluded that the country was not placed at significant risk and that the hacked material “was generally of low sensitivity”.

Meanwhile, Forbes reported that the Clop ransomware group compromised the OPM supply chain by targeting a third-party data firm used by the government agency for employee surveys.

Lessons from MOVEit

Roger Neal, Head of Product at Apona Security, describes the MOVEit attacks as “yet another example of how things can go south if we’re not on top of what third-party software we’re using and consistently staying up to date with vulnerability management”.

In a June 2023 advisory, the National Cyber Security Centre (NCSC) stated that organisations directly affected should apply the latest vulnerability patch from MOVEit vendor Progress and check for the latest mitigation advice. This includes patches for additional vulnerabilities.

Once again, the importance of having robust patch management processes in place to prioritise vulnerabilities by risk to the organisation, and ensure deployment within as short a timeframe after disclosure as is possible, comes to the fore.

“Vulnerability management is not a one-off task but needs to be ongoing, especially for issues of critical nature,” Neal warns. “Hackers are relentless and continuously evolve their tactics. They probe systems for any weak link, and an outdated third-party component can be just the loophole they need to infiltrate secure networks.”

Danger from third parties

Neal points out that the MOVEit breach of OPM emails is yet another example of why third-party, supply chain, component tracking is so important to every organisation. From the smallest enterprise right up to nation-state agencies.

“It doesn’t matter if we scan for vulnerabilities if we don’t document the existence of the vulnerable component,” Neal says. “An accurate inventory of third-party components serves as a foundational element in building a resilient security posture.”

This component inventory essentially becomes a roadmap to guide the process of vulnerability management. It also ensures there are no threat vector blind spots.

“It’s about safeguarding an organisation’s data, maintaining operational integrity, and ultimately, ensuring the trust and confidence of stakeholders and the public at large,” Neal concludes. And it’s hard to argue with any of that.

Attacked without your knowledge

There is another danger: that Clop has already attacked your business but you don’t know it.

“Unlike the more traditional ransomware gangs that are operating, this group does not bother with the encryption of the data and subsequent disruption of services,” said Erich Kron, security awareness advocate at KnowBe4.

“This means that in many cases the victims may not realise they are suffering a breach because there are no extremely evident signs such as failures of service or systems going offline.”

Kron also believes it’s dangerous to believe everything that the Clop ransomware group says.

“While the group promised to delete information related to governments, cities or police departments, it seems highly unlikely that this group is to be trusted,” he said.

“While they may not leak this information publicly, it could be of great interest to other nation states looking to gather intelligence on American citizens or government agencies, potentially offering them a source of income if willing to sell the information to these entities.”

UPDATE: 2 November. Headline changed to add “& DoJ” employees.