My Take: Russian hackers put the squeeze on U.S agencies, global corps in MOVEit-Zellis hack

By Byron V. Acohido

It was bound to happen. Clop, the Russia-based ransomware gang that executed the MOVEit-Zellis supply chain hack, has commenced making extortion demands of some big name U.S. federal agencies, in addition to global corporations.

Related: Supply-chain hack ultimatum

The nefarious Clop gang initially compromised MOVEit, which provided them a beachhead to gain access to Zellis, a UK-based supplier of payroll services. Breaching Zellis then gave them a path to Zellis’ customer base.

According to Lawrence Abrams, Editor in Chief of Bleeping Computer, the Clop ransomware gang began listing victims on its data leak site on June 14th, warning that they will begin leaking stolen data on June 21st if their extortion demands are not met.

Among the victims listed were Shell, UnitedHealthcare Student Resources, the University of Georgia, University System of Georgia, Heidelberger Druck, and Landal Greenparks.

As for federal agencies, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed breaches due to this vulnerability. “CISA is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity, emphasizing the urgency to understand the impacts and ensure remediation. According to Federal News Network, Oak Ridge Associated Universities and Energy’s Waste Isolation Pilot Plant were victims of the cyberattack, with Energy Department sources treating it as a “major incident.”


U.S. government agencies have not yet received any ransom demands, but the threat looms large. Rafe Pilling, Director of Threat Research at Dell-owned Secureworks, told CNN, “Adding company names to their leak site is a tactic to scare victims, both listed and unlisted, into paying.”

Progress Software, the company behind MOVEit, has acknowledged the vulnerability and taken swift measures to mitigate it. They revealed they’ve discovered a second flaw in their software that could be exploited, which they are working urgently to patch.


It’s clear that the present situation underscores the need for robust cybersecurity measures to shield our digital infrastructure from increasingly sophisticated threats. Despite CISA’s Director, Jen Easterly, assuring that the MOVEit intrusions are not being leveraged to steal specific, high-value information, the scale and rapidity of the cyberattacks remain cause for concern. This is especially true when considering that numerous organizations and companies are still in the process of investigating and understanding the scope of their involvement in this breach.

Gerasim Hovhannisyan, CEO of email security provider EasyDMARC, observes that the MOVEit-Zellis hack should put a spotlight on supply chain vulnerabilities arising in the highly interconnected, cloud-centric operating environment.

“Businesses and governmental organizations alike should be considering third-party suppliers and partners as part of their cybersecurity ecosystem and stressing the need for them to implement rigorous security protocols,” Hovhannisyan told Last Watchdog.

Hovhannisyan advocates focused use of email authentication tools such as SPF, DKIM, and DMARC. “No  organization can expect perfection and should therefore work to stop these emails from hitting inboxes in the first place,” he says.


Philippe Humeau,  CEO of CrowdSec,  argues that this milestone supply-chain hack should add momentum to a consensus that the U.S. is in dire need of actually implementing a robust national cybersecurity strategy.

“As cyberattacks like this one become more prevalent, it only demonstrates the urgent need to implement the new National Cybersecurity Strategy,” Humeau told Last Watchdog. “The fact of the matter is that there are way more lawful internet users than there are cybercriminals, and being able to identify and proactive block known malicious actors helps break through the background noise and allows cyber professionals to focus on detecting more targeted threats.”

The Clop ransomware group’s tactics are reminiscent of past attacks involving the Accellion FTA, GoAnywhere MFT, and SolarWinds Serv-U managed file transfer platforms, wherein threat actors demanded hefty ransoms to prevent data leaks. This presents a persistent and evolving threat landscape that demands constant vigilance and proactivity from organizations, governments, and cybersecurity agencies alike.

In the face of this international cyberattack, the pressing need is to focus on modernizing cybersecurity infrastructures, securing vulnerable platforms, and intensifying the fight against such ransomware attacks. I’ll keep watch and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone