The eight-page report said hackers were able to obtain access to the data by exploiting vulnerability in the MOVEit file transfer program. (Bloomberg)

Cybercriminals Breach US Justice and Defense Departments, Obtain 632,000 Email Addresses

According to a report obtained through a Freedom of Information Act request, a hacking group that speaks Russian managed to gain access to the email addresses of approximately 632,000 federal employees in the US Department of Defense and Department of Justice. This breach occurred during the extensive MOVEit hack that took place last summer.

A report from the US Human Resources Office provides new details about a cyberattack in which hackers exploited flaws in MOVEit, a popular file transfer tool. Federal cybersecurity officials previously confirmed that government agencies were compromised by the attack, but have provided little information about the extent of the attack and did not name the agencies affected.

The Office of Personnel Management, in a July report on the incident submitted to a congressional committee, said the unauthorized actor gained access to government email addresses, links to OPM-administered government employee surveys and internal OPM tracking codes. Affected employees were in the Department of Justice and various parts of the Department of Defense: Air Force, Army, US Army Corps of Engineers, Office of the Secretary of Defense, Staff and Defense Agencies, and Field Operations.

The Office of Personnel Management characterized the May 28-29 hack as a “major incident,” but also said there was no reason to believe it posed a significant risk and that the data compromised was “generally low.” sensitivity’ and not classified.

The Ministry of Justice and the Ministry of Defense did not immediately respond to requests for comment.

Other US agencies have previously confirmed they were affected by the MOVEit breach, including the US Department of Health and Human Services, the Department of Agriculture and the General Services Administration. The Energy Department received ransom from hackers after two of its units were compromised.

A hacking gang called Clop or Cl0p was blamed for the attack. So far, more than 2,500 organizations have been affected, Brett Callow, a threat analyst at cybersecurity firm Emsisoft, posted on X, the platform formerly known as Twitter. Among the victims were government service provider Maximus Inc. and the Louisiana Office of Motor Vehicles, according to the company.

An eight-page report submitted to the House Committee on Science, Space and Technology found that hackers gained access to the data by exploiting a vulnerability in the MOVEit file transfer program used by Westat Inc. OPM’s supplier controls are known as the Federal Employee Viewpoint Surveys. According to the report, there was “no indication” that any unauthorized user had accessed the survey links.

A spokeswoman for MOVEit’s parent company, Progress Software Corp., said it has taken steps to mitigate the effects of the cyber attack. Additionally, the company said it empathizes with affected users and is committed to cooperating in an industry-wide effort to combat cybercriminals.

A Westat representative said the company conducted an extensive investigation and worked with third-party experts to assess the security of the relevant systems and reduce the likelihood of a similar incident in the future.