The U.S. Department of Energy and several other federal agencies have been compromised by a global hack by a Russian cyber-extortion gang of a file transfer program popular with businesses and governments, but the impact is not expected to be significant, Homeland Security officials said Thursday.

But for others, possibly including hundreds of victims, including patrons of at least two government motor vehicle agencies, the hack began to have serious consequences.

Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, or CISA, told reporters that this campaign, unlike the careful, stealthy SolarWinds hacking campaign attributed to state-backed Russian intelligence agents that was months in the making, was short-lived. , relatively superficial and quickly caught.

Based on discussions we’ve had with industry partners… these intrusions are not being used to gain wider access, gain persistence into targeted systems, or steal specific high-value information. Basically, as we understand it, this attack is largely opportunistic, Easterly said.

While we are deeply concerned about this campaign and are urgently working on it, this is not a campaign like SolarWinds that poses a systemic risk to our national security or our nations’ networks, she added.

A senior CISA official said neither the US military nor intelligence agencies were affected. Energy department spokesman Chad Smith said two agencies had been compromised, but he gave no further details.

Ransomware gangs are changing tactics, making crimes harder to track down

Known victims to date include Louisiana’s Office of Motor Vehicles, Oregon’s Department of Transportation, the provincial government of Nova Scotia in Canada, British Airways, the BBC, and British drugstore chain Boots. The abused program, MOVEit, is widely used by companies to securely share files. Security experts say this could contain sensitive financial and insurance data.

Louisiana officials said Thursday that people with driver’s licenses or vehicle registrations in the state are likely to have made their personal information public. That included their names, addresses, social security numbers and dates of birth. They encouraged Louisiana residents to freeze their credit to prevent identity theft.

The Oregon Department of Transportation confirmed Thursday that the attackers had access to personal information, some of which was sensitive, of about 3.5 million people to whom the state had issued ID cards or driver’s licenses.

The Cl0p ransomware syndicate behind the hack announced on its dark web site last week that the victims, suggesting they numbered in the hundreds, had until Wednesday to get in touch to negotiate a ransom or risk losing sensitive data. stolen data was dumped online.

The US hosts cybersecurity talks with 30 countries. Russia is not invited

The gang, one of the world’s most prolific cybercrime syndicates, also claimed it would delete all data stolen from governments, cities and police departments. But cybersecurity experts say the Cl0p hackers cannot be trusted to keep their word.

The senior CISA official told reporters that a small number of federal agencies were affected and declined to name them, saying this is not a widespread campaign affecting a large number of federal agencies. The official, who spoke on condition of anonymity to discuss the breach, said no federal agency had received extortion claims and that Cl0p had not leaked any data from any affected federal agency online.

U.S. officials have no evidence of coordination between Cl0p and the Russian government,” the official said.

The parent company of the American maker of MOVEit, Progress Software, warned customers about the breach on May 31 and released a patch. But cybersecurity researchers say dozens, if not hundreds, of companies could have quietly exfiltrated sensitive data by then.

Russian-backed hackers target cloud services, says Microsoft

Federal officials encouraged victims to come forward, but in such cases they often fail to do so. The US lacks a federal data breach law and disclosure of hacks varies by state. Listed companies, healthcare providers and some critical infrastructure providers have legal obligations.

Cybersecurity firm SecurityScorecard says it has detected 2,500 vulnerable MOVEit servers in 790 organizations, including 200 government agencies. It said it was unable to break down those agencies by country.

The Office of the Comptroller of the Currency in the Treasury Department uses MOVEit, according to federal contract data. Spokeswoman Stephanie Collins said the agency was aware of the hack and was closely monitoring the situation. She said it performed a detailed forensic analysis of system activity and found no evidence of a sensitive information breach.

As early as March 29, the hackers were actively searching for targets, penetrating them and stealing data, said SecurityScorecard threat analyst Jared Smith.

This is far from the first time Cl0p has breached a file transfer program to access data that it could then use to extort companies. Other examples include GoAnywhere servers in early 2023 and Accellion File Transfer Application devices in 2020 and 2021.