In May 2023, a managed file transfer program named MOVEit, used by a wide range of private businesses and government agencies experienced major data breach from an SQL injection attack on public facing servers. The transfers were facilitated via a tailor-made C# web shell nicknamed LemurLoot. This was transferred to target systems via MOVEit legitimately as ASP.NET files and was subsequently used to steal Azure blob information. As a result, over 2500 organizations were affected.
Among these were the BBC, Shell, British Airways, Boots, Aer Lingus, Ernst & Young, Ofcom, TFL and Oregon and Louisiana State Offices of Motor Vehicles. More than 80% of the organizations breached were US based, most notably government services. The popular cybersecurity news service Axios stated that the breach ‘highlights just how vulnerable the US government remains to cyberattacks after years of investments by agencies to improve security postures’.
Russian hacking gang Cl0p are suspected to be the organizers of the breach after a list of victims was published on their EU site.
The Impact on a Government Agency and Mitigation Techniques
The Louisiana State Drivers Agency stands out as one of the major victims of this breach, every holder of a Louisiana-issued licence, ID, or car registration likely had their data exposed during the hack. This includes the names, birthdates, social security numbers, vehicle and licence registration information as well as less sought-after information such as eye colours, height, etc.
While exposure doesn’t necessarily mean the information was taken and no explicit evidence of transfers of data was detected, data exposure is enough for all concerned individuals to follow incident response and mitigation techniques:
- Freeze your credit to prevent unauthorized new accounts or loans.
- Change all passwords and multifactor authentication.
- Protect your tax refund and returns with the IRS.
- Check your Social Security benefits.
- Report suspected identify theft.
This is in compliance with ISO27001, NIST and cybersecurity best practice. It practices prompt notification of security flaws and subsequent patching, incident response and mitigation techniques, communication and collaboration with all concerned parties and risk assessment and management.