By Raphael Satter and Zeba Siddiqui
WASHINGTON/SAN FRANCISCO (Reuters) – A hydra-stubborn breach targeting a single US software maker has compromised data at about 600 organizations worldwide, according to figures from cyber analysts corroborated by Reuters.
But more than two months after the breach was first revealed by Massachusetts-based Progress Software, the parade of victims has hardly slowed. The figures show that nearly 40 million people have been affected by the hack of Progress’s MOVEit Transfer file manager so far. Now the digital extortionists involved, a group called “cl0p”, have become increasingly aggressive in making their data public.
“We’re still at a very, very early stage,” said Marc Bleicher, chief technology officer of incident response company Surefire Cyber. “I think we’re going to see the real impact and consequences later.”
MOVEit is used by organizations to transmit large amounts of often sensitive data: pension information, social security numbers, medical records, billing information, and the like. Because many of those organizations processed data on behalf of others, who in turn received the data from third parties, the hack has spread outward in sometimes complicated ways.
For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specializes in locating surviving relatives of pension fund holders, they gained access to data from the New York-based Teachers Insurance and Annuity Association of America . which in turn manages retirement programs for 15,000 institutional clients, many of whom have been educating employees about their exposure in recent weeks.
“There’s a domino effect,” said Huntress Security’s John Hammond, one of the first investigators to begin tracking down the breach.
Hacks by groups like cl0p occur with a stupefying regularity. But the sheer variety of victims of the MOVEit compromise, from New York public school students to Louisiana drivers to California retirees, has made it one of the most visible examples of how a single flaw in an obscure piece of software can lead to a global privacy disaster. cause. .
Christopher Budd, a cybersecurity expert at Britain’s Sophos, said the breach was a reminder of how interdependent organizations were on each other’s digital defenses.
Progress said it had fallen victim to “a sophisticated and persistent group of cybercriminals” and its focus was on supporting its customers.
Cl0p’s hacking campaign began May 27, according to two people familiar with Progress’ research.
Progress first got wind of the compromise the next day, when a customer alerted the company to anomalous activities, these sources said. On May 30, the company sent out a warning and the next day released a “patch,” or fix, that partially thwarted the hackers’ campaign.
“Many organizations were actually able to deploy the patch before it could be exploited,” said Eric Goldstein, a senior official with the US Cybersecurity and Infrastructure Security Agency.
Not all organizations were so lucky. Details about the amount of stolen equipment or the number of organizations affected are not publicly available, but Nathan Little, whose company Tetra Defense has responded to dozens of MOVEit-related incidents, estimated that the breach would have affected thousands of companies.
“We may never know the exact detailed number,” he said.
Some analysts have tried to keep up. As of Sunday, cybersecurity company Emsisoft had a total of 597 victims and 39.7 million affected.
German IT specialist Bert Kondruss came up with similar figures, which Reuters confirmed by comparing them to public statements, company documents and cl0p reports.
WHO IS EXPOSED?
Educational organizations — colleges, universities, and even public schools in New York City — made up a quarter of the victims, with more than 100 Emsisoft and Kondruss in the U.S. alone.
The exposure has gone far beyond academia.
Driving a car? The car authorities of Louisiana and Oregon jointly disclosed the compromise of about 9 million records. Retired? Pension management organizations such as the California Public Employees’ Retirement System and T. Rowe Price were breached through Pension Benefit Information. The breach alone at Maximus, a US government contractor, resulted in the compromise of between 8 and 11 million people’s files.
A thin silver lining? The hackers may have received too much data to release everything.
Alexander Urbelis, senior counsel at New York-based law firm Crowell & Moring, which has helped victims measure their exposure to the hackers’ dragnet, said extraordinarily slow download speeds from the hackers’ cracking darknet website “pretty much hit it for everyone.” made impossible”. – whether with good intentions or not – “to access the stolen data.”
Goldstein, the US official, said that in “many cases” the data had yet to be leaked.
Cl0p, which did not return Reuters messages, appears to be trying to up its game. Late last month, it created websites specifically to better distribute stolen data. Earlier this week, it began sharing the data over peer-to-peer networks.
That’s bad news for the victims, Bleicher of Surefire said.
“Once this data starts to slowly leak out, it will show up more on the subway,” he said. In turn, the impact of the breach will “probably be much greater than we currently think”.
(Reporting by Raphael Satter and Zeba Siddiqui; editing by Chris Sanders and Grant McCool)