Numerous federal agencies, including Energy Department entities, have fallen prey to cyber intrusions due to a zero-day vulnerability in the widely used MOVEit file transfer service. Oak Ridge Associated Universities and the Energy’s Waste Isolation Pilot Plant near Carlsbad, New Mexico, experienced data breaches as a result of this vulnerability. Although the incident did not affect internal Energy Department systems, it did compromise agency data at the affected locations. The breach exposed personally identifiable information, potentially impacting tens of thousands of individuals, including Energy employees and contractors.
Energy Department officials are treating the cyber intrusion as a “major incident” and have taken immediate steps to mitigate further exposure to the MOVEit vulnerability. They have notified the Cybersecurity and Infrastructure Security Agency (CISA), Congress, and law enforcement, emphasizing their commitment to investigating the incident and minimizing the breach’s impacts. The MOVEit Transfer software, widely embedded in various systems, is expected to have broader repercussions across multiple agencies. CISA is actively providing support to affected federal agencies, working urgently to comprehend the extent of the impacts and facilitate timely remediation.
While the specific agencies breached and the identity of the attackers remain undisclosed, CISA’s Executive Assistant Director for Cybersecurity, Eric Goldstein, confirms the MOVEit breach’s impact on multiple federal agencies. The attackers, possibly linked to a Russia-affiliated ransomware gang, have claimed credit for the campaign targeting MOVEit applications. The Department of Veterans Affairs, on the other hand, managed to swiftly patch its MOVEit instances, avoiding any impacts on VA or veterans’ data. The widespread use of MOVEit Transfer underscores the potential for a prolonged impact, with agencies scrambling to address and rectify vulnerabilities in the face of evolving cyber threats.
