In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

Photo of Sinan Pismisoglu Sinan Pismisoglu

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with…

Sinan Pismisoglu advises clients on product development, privacy and security compliance, AI ethics, SaaS contracting, Big Data, data licensing and ownership, supply chain and vendor management, and incident preparedness and response. He solves complex cybersecurity, information security, compliance, and operational issues beginning with early planning and prevention through detection, remediation, and crisis management. Sinan collaborates with engineering teams to create compliance-integrated risk management frameworks, governance, and ethics programs for emerging technologies such as AI/ML, cybersecurity, IoT, and cloud models.

Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Photo of Eric Setterlund Eric Setterlund

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and…

Eric Setterlund serves as counsel in Bradley’s Healthcare and Cybersecurity and Privacy practice groups. He has extensive experience with matters related to healthcare privacy, security protections and regulatory compliance. Prior to joining the firm, Eric served as chief privacy officer and privacy and data counsel for BlueCross BlueShield of Tennessee. He draws upon his real-world business and program management experience to provide his clients practical advice for complex regulatory and transactional matters.

Photo of Brett Lawrence Brett Lawrence

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International…

Brett Lawrence is an associate in the Banking and Financial Services Practice Group who focuses his practice on data privacy and cybersecurity issues, insurance coverage, and other general and professional liability matters. He is a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.