In the shadowy depths of our cyber-infused reality, an unreported battle of epic proportions is taking place. The American Department of Health and Human Services (HHS), a supposed bastion of privacy and personal data protection, has fallen prey to a sweeping cyber onslaught that puts a shocking number of citizens at risk – to the tune of at least 100,000.
Just last Thursday, the grim announcement rang out from an HHS official. Health and human services contractors – those trusted with some of our most sensitive personal data – fell victim to cyber thieves. The culprits are believed to be a powerful assembly of Russian cybercriminals, ensnaring the HHS in an alarming cyber-warfare trend that has seen an increasing number of U.S. government agencies compromised.
The secret got out last Tuesday when HHS informed Congress of the breach, as required by law for cases that affect the personal data of 100,000 or more individuals. But the story they told paints an unsettling picture. According to officials who confided in CNN, it wasn’t the HHS system or network that was breached, but rather, a third-party software – MOVEit Transfer – was exploited to gain access.
This file transfer software, popular amongst companies, schools, and government agencies worldwide, was the weak link the Russian cyber rogues used to infiltrate. Despite Progress Software, the American creators of MOVEit, releasing a security patch, the cyber thieves managed to slip in undetected.
But the HHS is not alone in this ignoble list of victims. Among the affected are the Department of Energy, the Office of Personnel Management, and the US Department of Agriculture, with the grim list growing by the day.
The invisible puppeteer orchestrating this vast cyber assault is a Russian-speaking group ominously known as ‘CLOP‘. Instead of the more common ransomware approach, these digital predators steal data and extort their victims. While federal agencies were moderately affected, millions of average Joes and Janes had their personal data hijacked. States like Louisiana, Oregon, and even the public pension funds of California had their data plundered.
Yet, the list of victims continues to expand. From Siemens Energy – who claimed no critical data was compromised – to the University of California, Los Angeles – confirming a breach but denying a ransomware incident – it seems no one is truly safe.
In an unsettling twist, stolen data from the MOVEit breach is appearing on dark web extortion sites, indicating that some ransomware efforts have floundered. The precise number of victims that have succumbed to these demands remains unknown. Yet even a small number of victims can keep these cyber thieves flush with ill-gotten gains and set the stage for future attacks.
As Shane Sims, former FBI supervising special agent and current CEO of Kivu Consulting, puts it, “We are conducting a number of aggressive forensic investigations related to this vulnerability involving unusually high ransom demands…Victims span across the US and UK and include sectors such as finance, industry, law, healthcare, and technology.”
Meanwhile, across the Atlantic, a cyber attack stirs Europe’s very foundations and potentially triggers Article 5 of NATO. The Swiss Federal Intelligence Service’s ‘Swiss Security 2023‘ report sends alarm bells ringing, revealing the potential threat of cyberattacks led by Russian actors. This cyber turmoil, coupled with the war in Ukraine, might trigger a wider conflict.
While the neutral country of Switzerland may not directly attract the wrath of such hostile actors, it cannot escape the ricochet effects of cyber warfare aimed at other nations. The report highlights the unpredictable nature of non-state actors and the potential for disruption, partial failure, or temporary restriction of critical services.
This is not an episode of a dystopian Netflix series.
It’s our harsh reality, where invisible enemies wield information as weapons and nations teeter on the brink of conflict.
Every click of the keyboard echoes like the cocking of a gun – and the cyber battlefield is fraught with unseen danger.