Massive MOVEit Hack: 630K+ US Defense Officials’ Emails Breached

The organization targeted in the incident is Westat, a data firm utilized by the Office of Personnel Management (OPM) for survey administration.

The MOVEit data breach has caused havoc across all prominent industries and organizations. This large-scale cyberattack in May 2023 (from May 28th to May 30th, 2023) has claimed countless victims.

The attackers exploited a vulnerability in a managed file transfer software called MOVEit Transfer developed by Ipswitch INC. Many organizations have become targets of this breach including government agencies, airlines, educational and financial institutions and healthcare providers, and lost sensitive data such as credit card numbers, PII, and SSNs (social security numbers).

Bloomberg reports that the US Department of Justice is amongst the government agencies targeted in the MOVEit Transfer vulnerability exploitation spree. Reportedly, the email addresses of 632,000 employees from the agencies were accessed. 

According to the Office of Personnel Management’s (OPM) documents obtained through the Freedom of Information Act request, hackers obtained access to email addresses linked to government employee surveys and internal agency tracking codes by exploiting the MOVEit file transfer program used by Westat, a data firm the OPM uses for administer surveys.

Impacted employees mostly belonged to the Defense Department, including the Air Force, the Army, the Army Corps of Engineers, the Office of the Secretary of Defense and the Joint Staff officials. has been following the series of cyberattacks that took place in May 2023. The Russian-speaking cybercrime group Cl0p ransomware gang is blamed for exploiting this vulnerability. The gang made the stolen data public, impacting hundreds of government entities and businesses worldwide.  

In June 2023, the National Student Clearinghouse reported that 900 US schools were impacted by the MOVEit hack, with hackers stealing sensitive student records. In October, Sony confirmed that the data breach caused by the exploitation of MOVEit vulnerability has impacted 6791 of its previous and current employees or their family members,

Progress (formally Ipswitch) released a patch for the vulnerability but many organizations haven’t yet applied the patch and remain vulnerable to cyberattacks. The full extent of damage caused by the breach in May is yet unknown but quite possibly hackers gained access to classified data.

Commenting on this latest development, security awareness advocate at KnowBe4, Eric Kron, told Hackread that the Cl0p ransomware group has continuously made headlines for its attacks exploiting the MOVEit vulnerability, and has emerged as an unconventional gang that doesn’t bother about encrypting the data or disruption of service. This is why in many cases victims of data breaches remain unaware because there aren’t any ‘evident signs.’

“This group continues to make the news due to its exploits against MOVEit and the tactics it employed. Unlike the more traditional ransomware gangs that are operating this group does not bother with the encryption of the data and subsequent disruption of services. This means that in many cases the victims may not realise they are suffering a breach because there are no extremely evident signs such as failures of service or systems going offline.”

“While the group promised to delete information related to governments, cities or police departments, it seems highly unlikely that this group is to be trusted. While they may not leak this information publicly, it could be of great interest to other nation states looking to gather intelligence on American citizens or government agencies, potentially offering them a source of income if willing to sell the information to these entities.”

“Since patches are available for the MOVEit software, organisations must ensure they’ve been applied. Any organisations that have operated the software during the times of known attacks would be wise to ensure that there is no sign of previous exploitation of these vulnerabilities, even if they have not been approached with a ransom demand yet,” Kron added.

  1. IT Security firm Qualys extorted by Clop gang after data breach
  2. Clop ransomware gang leaks Jones Day law firm data on dark web
  3. Human Error: Casio ClassPad Data Breach Impacting 148 Countries
  4. UK’s Ofcom confirms cyber attack as PoC exploit for MOVEit is released
  5. Cisco Web UI Vulnerability Exploited Massly, Impacting Over 40K Devices