Major government hack a wake-up call for agencies

The global cyberattack that targeted a number of federal agencies should be seen as a wake-up call for the government, as the constant threat of cyberattacks for both the public and private sector is unlikely to abate.

According to an IBM report, a data breach could cost government agencies on average $2.07 million per incident. It also said that in 2018, cyberattacks cost the U.S. government $13.7 billion, Security Intelligence reports. 

The Russian-speaking ransomware group, which is reportedly behind the hack, exploited a vulnerability in a software application known as MOVEit, which is widely used by government agencies to transfer files. 

HHS among targets in government hacking attack

Rex Booth, chief information security officer at tech company SailPoint, said that people should remain concerned as the software is widely used across the federal government and private companies and may hold sensitive information, including HR files containing personal identifiable information or audit reports.

Although the impact and scope of the attack is still under investigation, the fact that the hackers targeted multiple agencies simultaneously should be of great concern, experts said. 

“In simple terms, U.S. agencies and businesses worldwide are under constant cyber threat,” said Ryan Lasmaili, CEO and co-founder of Vaultree, a data encryption company.

“The recent attack by the CLoP group is the latest reminder of this fact,” Lasmaili said in an email. 

Hack shares similarities to SolarWinds incident

Emil Sayegh, president and CEO of data security firm Ntirety, said the attack was a significant event with far-reaching implications as the hackers targeted several U.S. federal agencies, which are responsible for critical functions and hold sensitive information.

“The attack demonstrated the vulnerability of our infrastructure and the potential for serious breaches, reminiscent of the SolarWinds attack,” Sayegh said. 

In 2020, SolarWinds, a Texas-based software firm, was breached when Russian state-sponsored hackers exploited vulnerabilities in software updates from the tech company to penetrate the networks of nine federal agencies and at least 100 private sector organizations for nearly a year. 

Multiple federal agencies hit in cyberattack: report

Sayegh added that cyberattacks like this raise concerns about the country’s national security, the protection of sensitive information and the potential disruption of essential services.

Jason Blessing, a research fellow at the American Enterprise Institute, said that the recent cyberattack shows that the lessons from the SolarWinds hack are still “highly relevant” three years later. 

“While the MOVEit hack did not approach the scale of Solarwinds, the formula for protecting government networks and critical infrastructure is the same: interagency communication and cooperation, a quick response time from the private sector and imposing costs on the perpetrators to alter their calculus for future hacking attempts,” Blessing said.

Agencies team up to be ready next time

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said during a press call last month that her agency has been working with the FBI to understand how prevalent the issue is and provide support to the federal agencies impacted by the hack.

“While our teams are urgently focused on addressing risks posed by this vulnerability, it’s important to clarify the scope and nature of this campaign,” Easterly said. “Specifically, as far as we know, these actors are only stealing information that is being stored on the file transfer application at the precise time that the intrusion occurs.”

“These intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high value information. In sum, as we understand it, this attack is largely an opportunistic one,” she added. 

The FBI told The Hill in a statement that it was aware of the cyberattack and was conducting an investigation. 

“We highly encourage the public and all organizations using MOVEit software to read the FBI and CISA’s joint cybersecurity advisory to learn more about the threat and how to mitigate potential cyber attacks,” The FBI said. 

The Department of Energy and the Department of Health and Human Services (HHS) were among the federal agencies impacted. 

Although it was originally reported that none of the federal agencies affected was asked to pay a ransom, Reuters later reported that Energy did receive such requests at two facilities that were breached by the CLoP ransomware group. 

“The wide-scale nature of this attack underscores the importance of bolstering the ability of industry specific federal agencies to secure America’s critical infrastructure and respond to complex attacks,” said House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) and Committee Ranking Member Frank Pallone, Jr. (D-N.J.), in a statement. 

“We continue to monitor the situation and are requesting briefings from the Biden administration, including from DOE, in order to gain a complete understanding of the severity of this attack,” the lawmakers said. 

Booth said the CLoP ransomware group is known for its double extortion scheme where it encrypts the stolen data and then threatens to leak the information unless the victim pays a ransom.  

Booth also said he doesn’t believe that the breach was a targeted attack but was more so a target of opportunity.

“These attackers figured out that there was a vulnerability in the software and then started hunting for instances where they could try to exploit it,” Booth said. 

“It just so happens that a handful of federal agencies got swept up in that hunt. But to my knowledge, there's no indication that federal agencies were specifically targeted,” he added. 

How should the government respond?

Cyrus Walker, the founder and managing principal at cybersecurity firm Data Defenders, said federal agencies should have more coordinated and up-to-date countermeasures in place, including real-time threat intelligence sharing across agencies and with private sector industries. 

He also said that having leadership in place is as important as it ensures better coordination, enforcement and accountability.

“Having someone in a key leadership role would certainly ensure that there is appropriate coordination happening across the various domains at the federal level,” he said. 

Booth added that like any other organization, federal agencies need to improve the way in which they secure its software supply chain. 

He said the government should start by having an inventory list of their vendors and establishing a relationship with them to ensure timely notification for any security issues as well as testing the software every so often.  

“This is a good reminder for all of us that we need to take our software supply chains seriously,” Booth said. 

“The more data that we have out there, whether it's in a file transfer system or somewhere else, the higher the risk exposure,” he added. 

The FBI urged people to use its Cybersecurity Advisory as a way to report and learn about possible cyberattack risks.

"This CSA can be found at IC3.gov," the agency said in a statement to The Hill. "Anyone affected should report immediately to their local FBI field office and IC3.gov."