Analysis-MOVEit hack spawned over 600 breaches but is not done yet -cyber analysts

By Raphael Satter and Zeba Siddiqui

WASHINGTON/SAN FRANCISCO (Reuters) -A hydra-headed breach centered on a single American software maker has compromised data at more than 600 organizations worldwide, according to cyber analyst tallies corroborated by Reuters.

But more than two months after the breach was first disclosed by Massachusetts-based Progress Software, the parade of victims has scarcely slowed. The tallies show that nearly 40 million people have been affected so far by the hack of Progress' MOVEit Transfer file management program. Now the digital extortionists involved, a group named "cl0p", have become increasingly aggressive about thrusting their data into the public domain.

"We are just in the very, very early stage of this," said Marc Bleicher, chief technology officer of the incident response firm Surefire Cyber. "I think we'll start to see the real impact and fallout down the road."

MOVEit is used by organizations to ship large amounts of often sensitive data: pension information, social security numbers, medical records, billing data and the like. Because many of those organizations were handling data on behalf of others, who in turn got the data from third parties, the hack has spiraled outward in sometimes convoluted ways.

For example, when cl0p subverted the MOVEit software used by a company called Pension Benefit Information, which specializes in locating surviving family members of pension fund holders, they gained access to the data of the New York-based Teachers Insurance and Annuity Association of America, which in turn manages pension programs for 15,000 institutional clients, many of whom have spent the past weeks notifying employees of their exposure.

"There’s this domino effect," said Huntress Security's John Hammond, one of the earliest researchers to start tracking the breach.

Hacks by groups like cl0p occur with a numbing regularity. But the sheer variety of victims of the MOVEit compromise, from New York public school students to Louisiana drivers to California retirees, have made it one of the most visible examples of how a single flaw in an obscure piece of software can trigger a global privacy disaster.

Christopher Budd, a cybersecurity expert with the British firm Sophos, said the breach was a reminder of how interdependent organizations were on one another's digital defenses.

Progress said it had been the victim of "an advanced and persistent cybercriminal group" and that its focus was on supporting its customers.

'THOUSANDS OF COMPANIES'

Cl0p's hacking campaign began on May 27, according to two people familiar with Progress’ investigation.

Progress first got wind of the compromise the next day, when a customer alerted the firm to anomalous activity, these sources said. On May 30 the company sent a warning, and the next day issued a "patch", or repair, which partially thwarted the hackers’ campaign.

"Many organizations were in fact able to deploy the patch before it could be exploited," said Eric Goldstein, a senior official at the U.S. Cybersecurity and Infrastructure Security Agency.

Not all organizations were so lucky. Details on the amount of stolen material or the number of organizations affected are not publicly available but Nathan Little, whose firm Tetra Defense - part of the security company Arctic Wolf - has responded to dozens of MOVEit related incidents, estimated the breach likely affected thousands of companies.

"We may never know the exact detailed number," he said.

Some analysts have tried to keep track. As of Tuesday, cybersecurity firm Emsisoft had totaled up 602 victims with 39.7 million people affected.

German IT analyst Bert Kondruss has come up with similar figures, which Reuters corroborated by cross-checking them against public statements, corporate filings and cl0p’s posts.

WHO HAS BEEN EXPOSED?

Educational organizations - colleges, universities, and even New York City public schools - made up a quarter of the victims, with Emsisoft and Kondruss counting more than 100 in the U.S. alone.

The exposure has gone well beyond academia.

Drive a car? The Louisiana and Oregon motor vehicle authorities collectively disclosed the compromise of around 9 million records. Retired? Pension management organizations such as the California Public Employees' Retirement System and T. Rowe Price were breached via Pension Benefit Information. The breach at U.S. government contractor Maximus alone resulted in the compromise of between 8 to 11 million people's records.

A tenuous silver lining? The hackers may have ingested too much data to release it all.

Alexander Urbelis, senior counsel with New York-based law firm Crowell & Moring, which has helped victims gauge their exposure to the hackers’ dragnet, said extraordinarily slow download speeds from the hackers' creaky darknet website "made it all but impossible for anyone" - whether well-intentioned or otherwise - "to access the stolen data."

Goldstein, the U.S. official, said in "in many cases" data had yet to be leaked.

Cl0p, which didn't return Reuters' messages, seems to be trying to up its game. Late last month it created websites specifically intended to better spread stolen data. Earlier this week it started sharing the data via peer-to-peer networks.

That's bad news for the victims, said Surefire's Bleicher.

"Once this data starts to be slowly leaked, it shows up more on the underground," he said. The impact of the breach in turn "will probably get much larger than we think it is now."

(Reporting by Raphael Satter and Zeba Siddiqui; Editing by Chris Sanders and Grant McCool)