Tag: Cybersecurity and Infrastructure Security Agency

How a Zero-Day Flaw in MOVEit Led to a Global Ransomware Attack

In an era where our lives are ever more intertwined with technology, the security of digital platforms is a matter of national concern. A recent large-scale cyberattack affecting several U.S. federal agencies and numerous other commercial organizations emphasizes the criticality of robust cybersecurity measures.

The Intrusion

On June 7, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) identified an exploit by “Threat Actor 505” (TA505), namely, a previously unidentified (zero-day) vulnerability in a data transfer software called MOVEit. MOVEit is a file transfer software used by a broad range of companies to securely transfer files between organizations. Darin Bielby, the managing director at Cypfer, explained that the number of affected companies could be in the thousands: “The Cl0p ransomware group has become adept at compromising file transfer tools. The latest being MOVEit on the heels of past incidents at GoAnywhere. Upwards of 3000 companies could be affected. Cypfer has already been engaged by many companies to assist with threat actor negotiations and recovery.”

CISA, along with the FBI, advised that “[d]ue to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks.”

Although CISA did not comment on the perpetrator behind the attack, there are suspicions about a Russian-speaking ransomware group known as Cl0p. Much like in the SolarWinds case, they ingeniously exploited vulnerabilities in widely utilized software, managing to infiltrate an array of networks.

Wider Implications

The Department of Energy was among the many federal agencies compromised, with records from two of its entities being affected. A spokesperson for the department confirmed they “took immediate steps” to alleviate the impact and notified Congress, law enforcement, CISA, and the affected entities.

This attack has ramifications beyond federal agencies. Johns Hopkins University’s health system reported a possible breach of sensitive personal and financial information, including health billing records. Georgia’s statewide university system is investigating the scope and severity of the hack affecting them.

Internationally, the likes of BBC, British Airways, and Shell have also been victims of this hacking campaign. This highlights the global nature of cyber threats and the necessity of international collaboration in cybersecurity.

The group claimed credit for some of the hacks in a hacking campaign that began two weeks ago. Interestingly, Cl0p took an unusual step, stating that they erased the data from government entities and have “no interest in exposing such information.” Instead, their primary focus remains extorting victims for financial gains.

Still, although every file transfer service based on MOVEit could have been affected, that does not mean that every file transfer service based on MOVEit was affected. Threat actors exploiting the vulnerability would likely have had to independently target each file transfer service that employs the MOVEit platform. Thus, companies should determine whether their secure file transfer services rely on the MOVEit platform and whether any indicators exist that a threat actor exploited the vulnerability.

A Flaw Too Many

The attackers exploited a zero-day vulnerability that likely exposed the data that companies uploaded to MOVEit servers for seemingly secure transfers. This highlights how a single software vulnerability can have far-reaching consequences if manipulated by adept criminals. Progress, the U.S. firm that owns MOVEit, has urged users to update their software and issued security advice.

Notification Requirements

This exploitation likely creates notification requirements for the myriad affected companies under the various state data breach notification laws and some industry-specific regulations. Companies that own consumer data and share that data with service providers are not absolved of notification requirements merely because the breach occurred in the service provider’s environment. Organizations should engage counsel to determine whether their notification requirements are triggered.

A Call to Action

This cyberattack serves as a reminder of the sophistication and evolution of cyber threats. Organizations using the MOVEit software should analyze whether this vulnerability has affected any of their or their vendors’ operations.

With the increasing dependency on digital platforms, cybersecurity is no longer an option but a necessity in a world where the next cyberattack is not a matter of “if” but “when;” it’s time for a proactive approach to securing our digital realms. Organizations across sectors must prioritize cybersecurity. This involves staying updated with the latest security patches and ensuring adequate protective measures and response plans are in place.

© 2023 Bradley Arant Boult Cummings LLP

For cybersecurity legal news, click here to visit the National Law Review.

Guarding the Grid: DOE Releases 100-Day Cybersecurity Pilot Program

The February 2021 hack into Oldsmar, Florida’s water treatment system is a frightening reminder that critical infrastructure systems can be vulnerable to cyberattacks and that cyberattacks can jeopardize health and safety. In this case, the hack may have spurred government action. On Tuesday, the Biden administration announced a 100-day plan “to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control of electric utilities.”

In a coordinated effort among the Department of Energy (“DOE”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and the electricity industry, the plan lays out four areas of focus for the next 100 days: (1) enhancement of mechanisms for detection, mitigation, and forensic activities; (2) “concrete milestones” for the industry to develop “situational awareness and response capabilities in critical industrial control systems (ICS) and operational technology networks (OT)”; (3) reinforcement of overall cybersecurity in critical infrastructure information technology networks; and (4) voluntary industry participation programs “to deploy technologies to increase the visibility of threats in ICS and OT systems.”

The plan’s success likely hinges on the government’s ability to develop sustainable, cooperative relationships with the relevant industries. “Public-private partnership is paramount to the Administration’s efforts,” said National Security Council (“NSC”) Spokesperson Emily Horne in response to Tuesday’s announcement, “because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure.” It appears that similar plans are being developed for additional critical infrastructure industries, including water, the chemical sector, and natural gas.

The previous administration responded to the escalating threat of cyberattacks from foreign adversaries[1] in part with Executive Order 13920, which declared a national emergency with regard to electric grid security and gave the Secretary of Energy the authority to prohibit certain transactions involving electric equipment potentially controlled by a foreign adversary. Relying on EO 13920, the DOE issued a Prohibition Order in December 2020 barring “Critical Defense Facilities” and any supporting facilities from purchasing or installing electricity generation equipment manufactured in China (“December Prohibition Order”).

On January 20, 2021, President Biden’s DOE issued a 90-day suspension of EO 13920 and the December Prohibition Order to allow the DOE and the Office of Management and Budget to consider methods of “protect[ing] against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public.” Tuesday’s announcement from the DOE revoked the December Prohibition Order, effective immediately, but EO 13920 will remain in place until it expires on May 1, 2021.

The DOE has now opted to revoke the December Prohibition Order in an effort to “create a stable policy environment” while the DOE further develops its cybersecurity strategy for the electricity sector. However, utilities are still encouraged to “act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence” while the DOE develops further recommendations.

To assist in cybersecurity strategy development, along with the DOE’s 100-day plan announcement, the DOE issued a Request for Information (“RFI”) “focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain.” Interested parties are encouraged to submit input to the DOE by June 7, 2021 regarding the development of “a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria” as well as the “depth and breadth of a future prohibition authority.” Instructions for submitting comments can be found on the DOE’s website.

The DOE is still hammering out many details of the 100-day plan, and some details may never be released to the public – expansions of DOE’s Cyber Testing for Resilient Industrial Control Systems program, for example, will be classified to avoid oversharing with foreign intelligence. While the DOE works to develop its 100-day plan, utilities should evaluate cybersecurity infrastructure within their own systems. For example, utilities could make renewed efforts to take inventory of software and hardware used across any systems touching critical infrastructure, and ensure that all technology is secure and up to date. If defense, detection, and prevention systems do not meet the DOE’s suggested standards, a utility could consider implementing additional measures or strengthening current systems now.

Additionally, a utility could consider whether and how its organization might participate in an information-sharing program. Any thoughts regarding guardrails and disclosure limitations for such a program could be submitted as comments to the RFI. Also, a utility could consider how its current approach to communicating with internal and external stakeholders about cyber issues might impact participation in information sharing.

[1] The new 100-day plan comes not only in the wake of the Oldsmar water system hack but also just days after the administration announced sanctions against Russia for its role in the Solar Winds hack.

© 2021 Bracewell LLP

ARTICLE BY Philip J. Bezanson,  Claire E. Cahoon, Catherine P. McCarthy and Joshua C. Zive of  Bracewell LLP
For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.