Cybercriminals breached a third party contractor's network to access Department of Health and Human Services data using vulnerabilities in the MOVEit file transfer service. Alex Wong / Getty Images
Third-party contractor software exploited in attack on HHS data
An official with the Health and Human Services Department said attackers gained access to data by exploiting a major vulnerability found in the popular MOVEit file transfer service.
Cybercriminals gained unwarranted access to data overseen by the Department of Health and Human Services after leveraging a mass exploit in Progress Software's MOVEit file transfer service that was used by the agency's third-party contractors.
“Attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software of third party vendors,” an HHS official said in a statement to Nextgov/FCW.
The official said that "no HHS systems or networks were compromised" and added that Congress was notified about the incident on Tuesday. The agency is now conducting an investigation in accordance with the Federal Information Security Modernization Act and plans to provide lawmakers with additional updates.
The Cybersecurity and Infrastructure Security Agency confirmed in a call with reporters earlier this month that numerous federal agencies had been impacted by the exploit. Federal contracting records indicate that Progress Software products are found across federal agencies, the Intelligence Community and military networks.
A Russian-linked ransomware gang called CL0P began exploiting the vulnerability found in the popular file transfer solution last month, according to CISA. The exploit allows attackers to steal data from underlying MOVEit databases. The agency released a joint statement with the FBI saying they "expect to see widespread exploitation of unpatched software services in both private and public networks.”
A vast range of organizations have been swept up in the widespread attack, from federal agencies and law enforcement divisions, to law firms and departments of education. The exploit is also a significant threat to hospitals and healthcare organizations, many of which use the file transfer solution.
The global software breach has raised concerns about a potential cyber leadership vacuum in the federal government, with lawmakers and security experts alike calling on President Joe Biden to appoint a permanent national cyber director. Acting National Cyber Director Kemba Walden assumed the post after Chris Inglis retired earlier this year.
Research published earlier this week also revealed hundreds of devices on federal networks that were vulnerable to critical cybersecurity threats, in potential violation of recent federal directives.
Progress Software has issued patches for the initial MOVEit vulnerability and others that the company discovered earlier this month.