The impacts come after ransomware actors compromised third-party file transfer software MOVEit Transfer in late May. MOVEit is designed to “secure the transfer of sensitive data,” per the company, and counts both private companies and government agencies around the world among its users.
But on May 27, the CL0P ransomware group appears to have exploited a zero-day vulnerability in MOVEit, according to the Cybersecurity and Infrastructure Security Agency (CISA).
CL0P claimed in early June that it had stolen data from hundreds of organizations via the exploit, and it pressured victims to contact it by June 14. After that date, CL0P said it would start naming non-communicative victims and begin leaking stolen data later in the month, according to Cybersecurity Dive. Per Security Week, the ransomware operators say on their website that they won’t extort impacted government organizations.
Progress Software, the company behind MOVEit, announced discovery of the vulnerability on May 31. Known victims so far include the Minnesota Department of Education and the U.K. communications regulatory body, Ofcom.
Illinois agencies could be joining that list.
The Illinois DoIT announced on Friday that “within minutes” of learning of the attack on May 31, it “took immediate action, disconnected all associated systems that utilized the third-party software, and engaged its security incident response team to conduct a forensic analysis.” It is currently advising affected agencies.
DoIT is continuing to investigate how deeply the event has impacted state systems. A full count is not yet available, but the department said “a large number of individuals could be impacted.” Once the department establishes exactly who’s affected, it plans to issue a public notice and set up a call center to answer questions and provide assistance, DoIT said.
"DoIT's Infrastructure and Security teams moved quickly to respond to the attack affecting Illinois' network, evicting the attacker within three hours and verifying that the vulnerability could no longer be exploited in our system,” said Sanjay Gupta, state CIO and DoIT acting secretary, in a statement.
CISA and the FBI’s joint advisory on MOVEit, detection methods and mitigations can be found here.