The higher education sector is reeling from the MOVEit breach, a mass hack of Progress Software’s file transfer service used by hundreds of organizations. Colleges and higher education groups alike — from the University of California, Los Angeles to the National Student Clearinghouse — have been caught up in the cybersecurity incident.
Even firms that weren’t directly hit are suffering from the attack. TIAA, a retirement services provider widely used by academics and teachers, alerted its members that the breach affected one of its vendors, PBI Research Services. The vendor audits member deaths and locates beneficiaries, handling sensitive data like Social Security numbers.
Clop, the group behind the attack, exploited the MOVEit software through a zero-day vulnerability, which refers to a security flaw that an attacker discovered before the company did.
It’s unclear how many organizations have paid Clop a ransom over stolen data. But given the scope of the attack, not many may need to to make it worthwhile for Clop, suggested Brett Callow, threat analyst at Emsisoft, a cybersecurity company.
“With so many organizations being hit, Clop doesn’t need to have a high conversion rate for this to be profitable,” Callow said. He said the ransomware group has already begun publishing data on the dark web, including data supposedly belonging to UCLA and the University System of Missouri.
Higher Ed Dive spoke with Callow to learn more about Clop, the MOVEit breach and how it could affect colleges.
This interview has been edited for clarity and brevity.
HIGHER ED DIVE: Talk to me about the cybercriminals that have taken responsibility for the MOVEit breach, Clop. What do we know about them?
BRETT CALLOW: They’ve been operating since 2019, or thereabouts, at least under the brand of Clop. They were likely working prior to that, too. They have in recent years become particularly adept at discovering zero days in file transfer platforms.
Brett Callow
Permission granted by Brett Callow
This is the third platform they have compromised in this way. The others have been Accellion File Transfer Appliance and Fortra GoAnywhere.
Do we know where they are located?
They are believed to be in Russia or Ukraine.
Talk to me about how they’ve approached this particular cyberattack, the MOVEit breach. What kind of threats have they made to organizations?
This is basically a smash-and-grab where they obtained as much data in relation to as many organizations as they possibly could in a short time. What the monetary demands they’re making are unclear. We don’t have visibility into that.
They’ve been posting lists of organizations whose data they say they’ve obtained on the dark web and asking them to contact them. Is that unusual?
Ransomware operations typically approach the organizations or at least leave a ransom note on the systems they’ve compromised. It’s quite unusual for them to simply put up a post on the dark web and invite organizations to get in touch.
That said, I have been told that they are contacting the organizations in certain cases directly.
Let’s talk specifically about the breaches affecting the National Student Clearinghouse and TIAA. What kind of impact could those have on colleges?
In the case of TIAA, it wasn’t actually using MOVEit. It was compromised via a vendor, PBI [Research Services]. The organizations between them likely deal with a significant percentage of schools in the U.S., which means it’s quite possible that this incident will have affected the majority of the schools in the U.S.
We have seen eight schools that are known to have been affected by both the breach at TIAA and the breach at NSC.
Do we know which groups of people in higher ed face the highest risk of having their data exposed? In other words, are students more at risk versus college employees or retired higher ed workers? Do we have any insight into that?
None. All of those groups are at risk.
Is there anything colleges can do at this point to mitigate risks from the incident?
All they can really do is to try to help the individuals who’ve been impacted, try to ensure that one crime doesn’t become many through people being hit by identity fraud. It’s really a matter of letting people know the risks as quickly as possible and offering them some advice as to what they should be doing.
What’s next with this event? What are you watching for in the coming weeks?
It will be a matter of seeing what other victims emerge and whether or not we start to see any signs of attempted misuse of the data that’s been stolen. And that can be used in a couple different ways: firstly and most obviously, to commit identity fraud.
But it could also be potentially used to spear phish other organizations. If someone were to steal my emails, for example, they could probably fairly easily convince my contacts that they were me, and convince my contacts to open an email attachment, at which point bad things could happen.
So this could compound into many other incidents?
Yes, that’s right, and this is the way that stolen data does get misused.
Is there anything else that’s important to note?
Clop has started releasing data onto the dark web, and that data is freely available to anybody who knows or can find the URL to Clop’s site. That means whatever information is being published is accessible to other cybercriminals anywhere on the planet.
They could start using that information very, very quickly. In fact, they may have already started to do so.