Two major energy corporations have fallen victim to the MOVEit breach, the latest targets in an ongoing hacking campaign that has struck a growing number of organizations including government agencies, states and universities.
CL0P, the ransomware gang executing the attacks, added both Schneider Electric and Siemens Energy to its leak site on Tuesday. Siemens confirmed that it was targeted; Schneider said it is investigating the group’s claims.
Since early June, the hacking campaign has added more than 100 victims after CL0P began to take advantage of a vulnerability in MOVEit, a widely used file transfer tool from Progress Software. Multiple federal agencies, including two Department of Energy entities, have been affected by the vulnerability, federal authorities have said. Additional reporting has indicated that the Department of Agriculture may have had a “possible breach” and the Office of Personnel Management is also affected.
Both Siemens Energy and Schneider Electric are among the largest vendors in industrial control systems, though there is little indicated of what information the hackers may have pilfered. Cybersecurity and Infrastructure Security Agency Director Jen Easterly has previously said that the MOVEit campaign appears to be largely opportunistic and the stolen files may be limited to what was in the software at the time the bug was exploited.
“As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred,” Easterly said on June 15.
“Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis, no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” a Siemens spokesperson said in an email.
A Schneider spokesperson said that the company became aware of the vulnerability on May 30 and “promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely.”
“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well,” the spokesperson said in an email.
Since the Russian-speaking CL0P began publicizing its victims, state and local governments appear to have been heavily affected by the campaign as at least seven have been hit, including the nation’s largest public-employee pension fund the California Public Employees’ Retirement System. Over the weekend, around 45,000 New York City public school students had their personal data stolen which included information like Social Security numbers, StateScoop reported.
The State Department has offered a $10 million reward for information leading to the actors linking to the CL0P ransomware gang.