In the past several days, more state and federal agencies have come forward. The Colorado Department of Health Care Policy and Financing, Maryland Department of Human Services, U.S. Department of Agriculture and U.S. Office of Personnel Management all said they were impacted.
While the CL0P ransomware gang claims it deletes all data stolen from governments, this may not be bearing out. The Department of Energy (DOE) reported that two of its entities received ransomware notes. Per Reuters, a spokesperson said the notes “came in individually, not as kind of a blind carbon copy,” and that CL0P hasn’t rescinded the extortion requests. The DOE entities — the Oak Ridge Associated Universities and the Waste Isolation Pilot Plant — “did not engage” with CL0P, the spokesperson said.
Looking to crack down on the threat actors, the U.S. State Department announced a bounty for information connecting the hackers to a foreign government. A Twitter post promised up to $10 million in rewards for details linking CL0P — “or any other malicious cyber actors targeting U.S. critical infrastructure” — to a foreign government. The offer comes via the department’s Rewards for Justice program, which promises financial rewards for information about national security threats such as “foreign-directed malicious cyber activities” and terrorism.
LATEST FEDERAL VICTIMS
U.S. Department of Agriculture (USDA) may have been impacted by CL0P, the agency said. A spokesperson told Recorded Future that “USDA is aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support.”
The Office of Personnel Management (OPM) was also affected, with officials investigating exactly which of its data may have been compromised, according to CNN.
OPM is the “chief human resources agency and personnel policy manager for the federal government.” It suffered an eye-opening data breach in 2015 that exposed sensitive information on roughly 22 million people.
NEW STATE VICTIMS
Colorado Department of Health Care Policy and Financing (HCPF) said that it believes personally identifiable information (PII) on individuals who’d used either of two social safety net health insurance programs was likely compromised. This affects the Child Health Plan Plus (CHP+) — a low-income, public health insurance for “certain children and pregnant women,” per the state — and Health First Colorado, the state’s Medicaid program.
“HCPF recommends individuals who have applied for or have been covered anytime since 2015 by Health First Colorado or Child Health Plan Plus take precautionary measures to protect themselves, such as accessing and monitoring personal credit reports,” the department said on its website.
In this case, the impact reached HCPF via its partners. A third-party vendor – not HCPF itself – used the MOVEit software.
HCPF said it was now working with the state Office of Information Technology and that third-party vendor to investigate the incident and extent of its impact. HCPF said it would notify impacted individuals once it knows more.
Meanwhile, “HCPF has also reached out to all of its vendor partners to ensure their awareness of the MOVEit global cybersecurity attack, as well as to require their specific actions to determine, address and communicate back to the department any cyber attack findings for further action.”
Maryland Department of Human Services announced it was affected and the state IT department’s Office of Security Management has been investigating whether any other state agencies were impacted.
“The Governor’s Office and the department [of Information Technology] will continue to monitor for vulnerabilities, apply security patching and coordinate response among state agencies and entities potentially involved,” the state said in a June 17 announcement. “There is no current indication that any stolen data involved has been sold, used, shared or released, and the attackers have not contacted the state of Maryland.”
Maryland said that state IT contacts, emergency coordinators and local emergency managers had been alerted and advised to read the Cybersecurity and Infrastructure Security Agency’s advisory on the incident. The IT department would be available to assist these parties in patching possible vulnerabilities.
