Black Friday Sale! Save huge on InvestingProGet up to 60% off

Analysis-MOVEit hack spawned over 600 breaches but is not done yet -cyber analysts

Published 08/08/2023, 06:15 AM
Updated 08/08/2023, 04:22 PM
© Reuters. A sign indicates the direction to the offices of Progress Software in Burlington, Massachusetts, U.S., July 26, 2023.     REUTERS/Brian Snyder/
PRGS
-
MMS
-

By Raphael Satter and Zeba Siddiqui

WASHINGTON/SAN FRANCISCO (Reuters) -A hydra-headed breach centered on a single American software maker has compromised data at more than 600 organizations worldwide, according to cyber analyst tallies corroborated by Reuters.

But more than two months after the breach was first disclosed by Massachusetts-based Progress Software (NASDAQ:PRGS), the parade of victims has scarcely slowed. The tallies show that nearly 40 million people have been affected so far by the hack of Progress' MOVEit Transfer file management program. Now the digital extortionists involved, a group named "cl0p", have become increasingly aggressive about thrusting their data into the public domain.

"We are just in the very, very early stage of this," said Marc Bleicher, chief technology officer of the incident response firm Surefire Cyber. "I think we'll start to see the real impact and fallout down the road."

MOVEit is used by organizations to ship large amounts of often sensitive data: pension information, social security numbers, medical records, billing data and the like. Because many of those organizations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiraled outward in sometimes convoluted ways.

For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specializes in locating surviving family members of pension fund holders, they gained access to the data of the New York-based Teachers Insurance and Annuity Association of America, which in turn manages pension programs for 15,000 institutional clients, many of whom have spent the past weeks notifying employees of their exposure.

"There’s this domino effect," said Huntress Security's John Hammond, one of the earliest researchers to start tracking the breach.

Hacks by groups like cl0p occur with a numbing regularity. But the sheer variety of victims of the MOVEit compromise, from New York public school students to Louisiana drivers to California retirees, have made it one of the most visible examples of how a single flaw in an obscure piece of software can trigger a global privacy disaster.

Christopher Budd, a cybersecurity expert with the British firm Sophos, said the breach was a reminder of how interdependent organizations were on one another's digital defenses.

Progress said it had been the victim of "an advanced and persistent cybercriminal group" and that its focus was on supporting its customers.

'THOUSANDS OF COMPANIES'

Cl0p's hacking campaign began on May 27, according to two people familiar with Progress’ investigation.

Progress first got wind of the compromise the next day, when a customer alerted the firm to anomalous activity, these sources said. On May 30 the company sent a warning, and the next day issued a "patch", or repair, which partially thwarted the hackers’ campaign.

"Many organizations were in fact able to deploy the patch before it could be exploited," said Eric Goldstein, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency.

Not all organizations were so lucky. Details on the amount of stolen material or the number of organizations affected are not publicly available but Nathan Little, whose firm Tetra Defense - part of the security company Arctic Wolf - has responded to dozens of MOVEit related incidents, estimated the breach likely affected thousands of companies.

"We may never know the exact detailed number," he said.

Some analysts have tried to keep track. As of Tuesday, cybersecurity firm Emsisoft had totaled up 602 victims with 39.7 million people affected.

German IT analyst Bert Kondruss has come up with similar figures, which Reuters corroborated by cross-checking them against public statements, corporate filings and cl0p’s posts.

WHO HAS BEEN EXPOSED?

Educational organizations - colleges, universities, and even New York City public schools - made up a quarter of the victims, with Emsisoft and Kondruss counting more than 100 in the U.S. alone.

The exposure has gone well beyond academia.

Drive a car? The Louisiana and Oregon motor vehicle authorities collectively disclosed the compromise of around 9 million records. Retired? Pension management organizations such as the California Public Employees' Retirement System and T. Rowe Price were breached via Pension Benefit Information. The breach at U.S. government contractor Maximus (NYSE:MMS) alone resulted in the compromise of between 8 to 11 million people's records.

A tenuous silver lining? The hackers may have ingested too much data to release it all.

Alexander Urbelis, senior counsel with New York-based law firm Crowell & Moring, which has helped victims gauge their exposure to the hackers’ dragnet, said extraordinarily slow download speeds from the hackers' creaky darknet website "made it all but impossible for anyone" - whether well-intentioned or otherwise - "to access the stolen data."

Goldstein, the U.S. official, said in "in many cases" data had yet to be leaked.

Cl0p, which didn't return Reuters' messages, seems to be trying to up its game. Late last month it created websites specifically intended to better spread stolen data. Earlier this week it started sharing the data via peer-to-peer networks.

© Reuters. A sign indicates the direction to the offices of Progress Software in Burlington, Massachusetts, U.S., July 26, 2023.     REUTERS/Brian Snyder/

That's bad news for the victims, said Surefire's Bleicher.

"Once this data starts to be slowly leaked, it shows up more on the underground," he said. The impact of the breach in turn "will probably get much larger than we think it is now."

Latest comments

Risk Disclosure: Trading in financial instruments and/or cryptocurrencies involves high risks including the risk of losing some, or all, of your investment amount, and may not be suitable for all investors. Prices of cryptocurrencies are extremely volatile and may be affected by external factors such as financial, regulatory or political events. Trading on margin increases the financial risks.
Before deciding to trade in financial instrument or cryptocurrencies you should be fully informed of the risks and costs associated with trading the financial markets, carefully consider your investment objectives, level of experience, and risk appetite, and seek professional advice where needed.
Fusion Media would like to remind you that the data contained in this website is not necessarily real-time nor accurate. The data and prices on the website are not necessarily provided by any market or exchange, but may be provided by market makers, and so prices may not be accurate and may differ from the actual price at any given market, meaning prices are indicative and not appropriate for trading purposes. Fusion Media and any provider of the data contained in this website will not accept liability for any loss or damage as a result of your trading, or your reliance on the information contained within this website.
It is prohibited to use, store, reproduce, display, modify, transmit or distribute the data contained in this website without the explicit prior written permission of Fusion Media and/or the data provider. All intellectual property rights are reserved by the providers and/or the exchange providing the data contained in this website.
Fusion Media may be compensated by the advertisers that appear on the website, based on your interaction with the advertisements or advertisers.
© 2007-2024 - Fusion Media Limited. All Rights Reserved.