vulnerable victims

A US radioactive waste storage facility was one of the targets of the global CLOP hack

The Waste Isolation Pilot Plant was one of the two US Department of Energy entities affected

We may earn a commission from links on this page.
Another shipment of Transuranic (TRU) waste arrives safely at the Waste Isolation Pilot Plant, 26 miles southeast of Carlsbad, New Mexico.
The Waste Isolation Pilot Plant in Carlsbad, New Mexico, was affected by the hack
Photo: US Department of Energy

US federal government agencies were among the target of the global ransomware hack that targeting file-transfer software MOVEit.

Progress Software Corp., which made MOVEit, has warned of a third, new critical software vulnerability in the software that could give malicious actors “take control of an affected system,” the US Cybersecurity and Infrastructure Security Agency (CISA) shared yesterday (June 15).


The US Department of Energy (DoE) is among those breached in the ongoing global hacking campaign, a department spokesperson confirmed to CNN, saying: “The Department has notified Congress and is working with law enforcement, CISA, and the affected entities to investigate the incident and mitigate impacts from the breach.” Quartz contacted the DoE for comment.

The not-for-profit research institution Oak Ridge Associated Universities and a contractor affiliated with the Waste Isolation Pilot Plant (WIPP), a radioactive waste storage facility located around Carlsbad, New Mexico, were the two DoE entities that got hacked, according to the Federal News Network. The Transportation Security Administration and the State Department reassured both said they were not victims of the hack, CNN reported.


A notorious CLOP ransomware gang, Lace Tempest, is allegedly behind the hack, which started around two weeks ago, exploiting other weaknesses in the same software and demanded payment from the companies affected in exchange to release their data. In a message posted on their website, the group has promised to delete all government data.

One big number:

2,500: Instances of MOVEit Transfer exposed to the public internet as of May 31, the majority of which look to be in the United States.

A brief timeline of the MOVEit hacks

May 31: Progress Software publishes an advisory warning of a critical SQL (a programming language) injection vulnerability in their MOVEit Transfer and MOVEit Cloud, which allows remote attackers to gain unauthorized access to it database.


June 5: Microsoft attributes attacks to the threat actor Lace Tempest, known for ransomware operations using the CLOP malware.

June 9: Progress Software releases a new patch for the old vulnerability as well as a second SQL injection vulnerability.


June 14: The deadline the hackers set for entities to contact them and negotiate a ransom. Organizations that get in touch will be shown proof the gang has their data and they will have three days to discuss the price for deleting that data, the group had said earlier.

June 15: Progress discloses a third vulnerability and the ransomware group begin releasing the names of those affected by the hack, according to BBC.


Quotable: Organizations that didn’t use MOVEit could still be hacked

“Even if a company doesn’t use MOVEit Transfer, a trusted third party (supplier, partner, etc.) of theirs might. If this trusted third party’s MOVEit system was breached, this could mean a breach of the original company’s sensitive data may have occurred.”Tyler Hudak, incident response practice lead at information security consultancy TrustedSec.


A non-exhaustive list of entities in the MOVEit attack

🏘️ In Minnesota, hackers stole files that included about 95,000 names of students placed in foster care throughout the state.


🔬 Johns Hopkins University in Baltimore and its renowned health system were affected by the cybersecurity attack, which “impacted sensitive personal and financial information, [including names, contact information, and health billing records.]”

💸 UK-based payroll service provider Zellis was a victim of the hack. It exposed details of the staff of several companies including the UK’s BBC, pharmacy chain Boots, and airline British Airways. Up to 100,000 employees may have been affected.


📡 British communications regulator Ofcom said hackers stole a “limited amount of information about certain companies we regulate—some of it confidential—along with personal data of 412 Ofcom employees.”

🏕️ Landal GreenParks, a Dutch campsite and recreation company, said the gang had accessed guest data, including names and contact details of about 12,000 people.


🛢 Oil giant Shell acknowledged the breach but said there was “no evidence of impact to Shell’s core IT systems” and Shell is “not communicating with the hackers.”

🚖 Transport for London warned nearly 13,000 drivers on the Ulez and Congestion Charge databases that their data was stolen.


🇨🇦 Nova Scotia, a Canadian province, saw the personal data of more than 130,000 people, including social insurance numbers, addresses and banking information, stolen from regional centres for education, the francophone school board, water and tax bill accounts with the local municipality, and more.

A little more about the hackers using CLOP ransomware

The hacker gang known for using CLOP ransomware was first discovered in 2019—a long time in the ever-changing cyber world—but is known in the cybersecurity community by many names apart from Lace Tempest, including Dungeon Spider and FIN11.


In June 2021, Ukrainian law enforcement arrested half a dozen gang members and seized equipment including computers, Tesla and Mercedes cars, and cash. The group went silent between November 2021 and early 2022, but it’s made a comeback since.

The notorious group is known to hold the data to multimillion-dollar ransoms. It uses a “double extortion” method, wherein it exfiltrates organizations’ sensitive data prior to encryption and give deadlines for payment to pressure victims into paying the ransom. If victims fail to pay, adversaries release the data.


However, this time around, the group claimed it will delete all government data, and to that tune, they’ve made no ransom demands. “If you are a government, city or police service do not worry, we erased all your data. You do not need to contact us. We have no interest to expose such information,” the hackers wrote in a statement, quoted by CNN.

Related stories

💰 A Russian cyber gang is threatening to publish the payroll data of 100,000 people


🛬 Pro-Russian hackers have attacked Europe’s air-traffic agency

✌️ The US claimed a cyber victory against a Russian malware network