The number of victims targeted by the Clop ransomware gang’s targeting of a critical vulnerability in Progress Software Corp.’s MOVEit file transfer software continues to grow, with the revelation today that the victims now include several U.S. government agencies.

Although a full list of agencies targeted was not disclosed by Cybersecurity & Infrastructure Agency officials who spoke to various media outlets, later reports suggest that the Department of Energy was one of those targeted.

Federal News Network, citing multiple sources, claims that Oak Ridge Associated Universities and the DOE’s Waste Isolation Pilot Plant near Carlsbad, New Mexico, experienced data breaches involving the MOVEit vulnerability. The DOE confirmed the report, although it noted that it did not affect agency data.

“The U.S. Department of Energy takes cybersecurity and the responsibility to protect its data very seriously,” a DOE spokesperson said. “Upon learning that records from two DOE entities were compromised in the global cyberattack on the file-sharing software MOVEit Transfer, DOE took immediate steps to prevent further exposure to the vulnerability and notified the Cybersecurity and Infrastructure Security Agency.”

However, the DOE may be the tip of the iceberg as more and more victims continue to come to light. Since a report last week detailing victims, including the BBC, British Airways Plc and the pharmacy chain Boots UK Ltd., had been targeted through a MOVEit attack on payroll company Zellis UK Ltd., the list of victims has grown.

Bleeping Computer reported that Clop has listed thirteen companies and organizations on its dark web leaks site. Several of those listed have since confirmed that they have been victims: Shell Plc, UnitedHealthcare Student Resources, the University of Georgia, the University System of Georgia, Heidelberger Druckmaschinen AG and Landal Greenparks.

Clop is also reportedly demanding that victims pay a ransom, or they will start publishing stolen data on June 21.

MOVEit is managed file transfer software designed to provide secure and compliant file transfers for sensitive data within and between organizations. The vulnerability, officially designated CVE-2023-34362, allows an unauthenticated, remote attacker to send a specially crafted SQL injection to a vulnerable MOVEit Transfer instance.

Foretelling that this may just be the beginning, Colin Little, security engineer at cybersecurity firm Centripetal Networks Inc., told SiliconANGLE that “given the scope of this campaign, along with the current view of the geopolitical landscape and the alleged nationality of the major affiliation behind the campaign, my opinion is that this campaign signals a major escalation in the hostilities of ongoing cyber warfare.”

“What’s worse, I believe this campaign has the strong potential to trigger a chain reaction of continuing and major escalations of hostilities not only in cyber warfare but the geopolitical landscape as well,” Little added. “Unlike other industry verticals, the U.S. federal government and other governments worldwide that have been breached may be permitted to deploy more offensive cyber resources than, say, a university or a hospital.”

Image: Bing Image Creator