A major energy provider in Europe, a top U.S. vendor for the electric sector and a branch of one of the largest universities in America are the latest entities to be swept up in the MOVEit hack.
All three showed up in updates posted to the Cl0p ransomware group's leak site, alongside a number of other entities that SC Media is still working to confirm. Representatives from UCLA and Siemens confirmed to SC Media that some data was stolen, while a spokesperson for Schneider Electric said they only learned of the claims today and are investigating.
A UCLA spokesperson told SC Media that the university uses MOVEit Transfer to transfer files across campus and to other entities. On June 1, the UCLA IT security team found evidence of exploitation on May 28 by an unauthorized third-party to gain access to their MOVEit platform and “immediately activated its incident response procedures” patched the vulnerability and stepped up monitoring efforts for further malicious activity related to the vulnerability.
They also claimed “this is not a ransomware incident” and that “there is no evidence of any impact to any other campus systems.”
“The university notified the FBI and worked with external cybersecurity experts to investigate the matter and determine what happened, what data was impacted and to whom the data belongs. All of those who have been impacted have been notified,” a UCLA spokesperson said.
Siemens Energy spokesperson Claudia Nehring told SC Media in an email that the impact of the breach on their IT infrastructure was limited.
“Regarding the global data security incident, Siemens Energy is among the targets. Based on the current analysis no critical data has been compromised and our operations have not been affected. We took immediate action when we learned about the incident,” she said.
Cl0p’s dark web page Siemens Energy, Schneider Electric and UCLA do not currently contain files, only a note at the bottom that says “Warning: This company doesn't care about its customers, it ignored their security!!!”
Siemens Energy and UCLA did not respond to follow-up questions from SC Media about the systems or devices affected and what data was stolen. Schneider Electric has yet to respond to a request for comment.
In May, the Cl0p ransomware group took credit for exploiting a vulnerability in MOVEit Transfer, a file transfer application made by Progress Software and used by thousands of companies around the world. The cybercriminal group quickly has carried out a steady drip of leaks over the past month identifying hacked companies who refused to pay the ransom.
According to UCLA’s website, which was last updated June 7, the university has more than 47,000 enrolled students and has an overall budget of $9.2 billion.
Meanwhile, Schneider Electric and Siemens Energy are both major providers of technology and equipment for the energy sector and play key roles in the global energy sector supply chain.
Schneider Electric spokesperson Thomas Eck told SC Media that the company is aware of reports but did not confirm a compromise, saying only that they are investigating the claims.
"On May 30th, 2023, Schneider Electric became aware of vulnerabilities impacting Progress MOVEit Transfer software. We promptly deployed available mitigations to secure data and infrastructure and have continued to monitor the situation closely," Eck wrote in an email. "Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well."
