The U.S. government has been hit in a global hacking campaign that exploited a vulnerability in widely used software but does not expect it to have significant impact, the nation’s cyber watchdog agency said on Thursday.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said several federal bodies had experienced intrusions following the discovery of a weakness in the file transfer software MOVEit, Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement.
“We are working urgently to understand impacts and ensure timely remediation,” he said. CNN first reported on the statement.
CISA did not identify the agencies that were hit or say exactly how they had been affected. It did not immediately respond to requests seeking further comment. The FBI and National Security Agency also did not immediately respond to emails seeking details on the breaches.
The United States does not expect any “significant impact” from the breach, CISA Director Jen Easterly told MSNBC.
MOVEit, made by Progress Software Corp, is typically used by organizations to transfer files between their partners or customers.
It could be used to by a financial institution that requires their customers to upload their data to apply for a loan, John Hammond, a senior researcher at the security firm Huntress, said earlier this month.
“There’s a whole lot of potential for what an adversary might be able to get into,” he said.
The online extortion group Cl0p, which has claimed credit for the MOVEit hack, has previously said it would not exploit any data taken from government agencies.
“IF YOU ARE A GOVERNMENT, CITY OR POLICE SERVICE DO NOT WORRY, WE ERASED ALL YOUR DATA,” the group said in a statement on its website.
Neither Cl0p nor Progress immediately responded to requests for comment.
(Reporting by Raphael Satter, Kanishka Singh, Zeba Siddiqui, Shivani Tanna and Chandi Shah; editing by Jonathan Oatis, Angus MacSwan and Bill Berkrot)