At least 10 federal agencies have contracted with Ipswitch Inc., maker of the MOVEit software at the center of a cyber attack on government networks this month, federal procurement data show.
The attack affecting a “small number” of government agencies is still being assessed, officials at the Cybersecurity and Infrastructure Security Agency have said.
CISA, which monitors cyber threats and recommends policies and tools to combat them, would not say which agencies were attacked, So, far the Smithsonian Institute and the Department of the Interior denied being impacted. The Transportation Security Administration and the State Department told CNN, which first reported the hack, they also not affected by the hack. The Pentagon would not say whether it was affected, citing policy and reasons of operations security.
Media reports have confirmed that the Office of Personnel Management and the Department of Energy were affected.
The Department of Agriculture told Federal Times that fewer than 30 employees were impacted by a recent data breach to a third-party vendor. It would not confirm whether the incident was part of the MOVEit attack, which may have been carried out by Russian hackers. An agency official said those employees have been contacted.
Official said that CISA isn’t aware of any government data being leaked or any ransom demands from agencies. From May 31 to June 16, Progress Software reported three vulnerabilities in the MOVEit system. Ipswitch. Inc was bought by Progress, another IT company, for $225 million in 2019. Not all the agencies with contracts actually use the software, however.
In a customer guide document on its website, Progress confirmed “the vulnerability reported on May 31 was a zero-day vulnerability and there are reports that this vulnerability was exploited by a sophisticated cybercriminal group.”
These kinds of attacks are common of the Russian group called Clop, which officials have characterized as “opportunistic” hackers that attempt to extort users for money in exchange for freeing their data.
DOJ’s National Security Cyber Section
Cyber crimes in general pose a threat for agencies who store massive amounts of data on their own workforce, public programs and the public. On Tuesday, the Department of Justice stood up its National Security Cyber Section, a litigating body within the National Security Division that will dedicate prosecutors to national security cyber cases and support U.S. Attorneys’ Offices and FBI field offices.
“NatSec Cyber prosecutors will be positioned to act quickly, as soon as the FBI or an IC partner identifies a cyber-enabled threat, and to support investigations and disruptions from the earliest stages,” said Assistant Attorney General Matthew Olsen in a statement.
That unit builds off broader goals set out by the Biden administration’s March national cyber strategy that called for fortifying IT infrastructure and “addressing the ransomware threat.”
The problem, however, is that responses to such incidents are not consistent across agencies. Agencies don’t agree on how to measure the extent of damage or even how to define cybercrime. And while agencies may collect their own data, governmentwide, it’s not being centralized in one place.
The Government Accountability Office has said that cybercrime is likely to be underreported.
Last May, the the Better Cybercrime Metrics Act was passed to standardize reporting. That legislation also requires the FBI to create a “cybercrime” category in its National Incident-Based Reporting System, which is used by law enforcement agencies.
That category was due to be completed last month, however as of April, DOJ officials told GAO that it had not yet been able to meet with the National Academies of Science to develop this classification, as required by the law. Necessary documents are pending approval of the attorney general, they said.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 also required CISA to pilot a warning system that began in January to notify users who have been compromised by phone or email. Notifications included details about what system was impacted, who the manufacturer was, the IP address and how to deal with it.
According to Comparitech, data breaches in local, state and federal agencies over the last eight years have cost governments about $26 billion.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.