A hydra-headed breach centred on a single American software maker has compromised data at about 600 organisations worldwide, according to tallies by cyber analysts.
But more than two months after the breach was first disclosed by Massachusetts-based Progress Software, the parade of victims has scarcely slowed. The tallies show that nearly 40-million people have been affected so far by the hack of Progress’ MOVEit Transfer file management program. Now the digital extortionists involved, a group named cl0p, have become increasingly aggressive about thrusting their data into the public domain.
“We are just in the very, very early stage of this,” said Marc Bleicher, chief technology officer of the incident response firm Surefire Cyber. “I think we’ll start to see the real impact and fallout down the road.”
MOVEit is used by organisations to ship large amounts of often sensitive data: pension information, social security numbers, medical records, billing data and the like. Because many of those organisations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiralled outward in sometimes convoluted ways.
For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specialises in locating surviving family members of pension fundholders, they gained access to the data of the New York-based Teachers Insurance and Annuity Association of America, which in turn manages pension programs for 15,000 institutional clients, many of whom have spent the past weeks notifying employees of their exposure.
“There’s this domino effect,” said Huntress Security’s John Hammond, one of the earliest researchers to start tracking the breach.
Hacks by groups such as cl0p occur with a numbing regularity. But the sheer variety of victims of the MOVEit compromise, from New York public school students and Louisiana drivers to California retirees, have made it one of the most visible examples of how a single flaw in an obscure piece of software can trigger a global privacy disaster.
Christopher Budd, a cybersecurity expert with the British firm Sophos, said the breach was a reminder of how interdependent organisations are on one another’s digital defences.
Progress said it had been the victim of “an advanced and persistent cybercriminal group” and that its focus was on supporting its customers.
‘Thousands of companies’
Cl0p’s hacking campaign began on May 27, according to two people familiar with the Progress investigation.
Progress first got wind of the compromise the next day, when a customer alerted the firm to anomalous activity, these sources said. On May 30 the company sent a warning, and the next day issued a “patch”, or repair, which partially thwarted the hackers’ campaign.
“Many organisations were able to deploy the patch before it could be exploited,” said Eric Goldstein, a senior official at the US Cybersecurity and Infrastructure Security Agency.
Not all organisations were so lucky. Details on the amount of stolen material or the number of organisations affected are not publicly available but Nathan Little, whose firm Tetra Defense has responded to dozens of MOVEit-related incidents, estimated the breach probably affected thousands of companies.
“We may never know the exact detailed number,” he said.
Some analysts have tried to keep track. By August 6, cybersecurity firm Emsisoft had totalled 597 victims with 39.7-million people affected.
German IT specialist Bert Kondruss has come up with similar figures, which were corroborated by cross-checking them against public statements, corporate filings and cl0p’s posts.
Who’s been exposed?
Educational organisations — colleges, universities, and even New York City public schools — accounted for a quarter of the victims, with Emsisoft and Kondruss counting more than 100 in the US alone.
The exposure has gone well beyond academia.
Drive a car? The Louisiana and Oregon motor vehicle authorities collectively disclosed the compromise of around 9-million records. Retired? Pension management organisations such as the California Public Employees’ Retirement System and T. Rowe Price were breached via Pension Benefit Information. The breach at US government contractor Maximus alone resulted in the compromise of between 8-million and 11-million people's records.
A tenuous silver lining? The hackers may have ingested too much data to release it all.
Alexander Urbelis, senior counsel with New York-based law firm Crowell & Moring, which has helped victims gauge their exposure to the hackers’ dragnet, said extraordinarily slow download speeds from the hackers’ creaky darknet website “made it all but impossible for anyone” — whether well-intentioned or otherwise — “to access the stolen data”.
Goldstein, said in “in many cases” data had yet to be leaked.
Cl0p, which didn’t reply to messages, seems to be trying to up its game. Late last month it created websites specifically intended to better spread stolen data. Earlier this week it started sharing the data via peer-to-peer networks.
That’s bad news for the victims, said Bleicher.
“Once this data starts to be slowly leaked, it shows up more on the underground,” he said. The impact of the breach “will probably get much larger than we think it is now.”
Reuters
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.