Hackers accessed 632,000 email addresses at US Justice, defense departments

A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.

The report, by the US Office of Personnel Management, provides new details about a cyberattack in which hackers exploited flaws in MOVEit, a popular file-transfer tool. Federal cybersecurity officers previously confirmed that government agencies were compromised by the attack but have provided little information on the scope of the attack, nor did they name the agencies affected. 

The Office of Personnel Management, in a July report on the incident submitted to a congressional committee, said an unauthorized actor obtained access to government email addresses, links to government employee surveys administered by OPM and internal OPM tracking codes. The impacted employees were at the Department of Justice and various parts of the Defense Department: the Air Force, Army, US Army Corps of Engineers, the Office of the Secretary of Defense, the Joint Staff and Defense Agencies and Field Activities. 

The Office of Personnel Management characterized the hack, which occurred on May 28 and May 29 as a “major incident,” but also said it didn't have reason to believe it posed a significant risk and that the compromised data was “generally of low sensitivity” and not classified. 

The Department of Justice and the Department of Defense didn't immediately respond to requests for comment.

Other US agencies have previously confirmed that they were affected by the MOVEit breach, including the US Department of Health and Human Services, the Department of Agriculture, and the General Services Administration. The Energy Department received ransom requests from the hackers after two of its entities fell victim to the intrusions.

A hacking gang called Clop, or Cl0p, was blamed for the attack. So far, more than 2,500 organizations have been impacted, Brett Callow, a threat analyst at the cybersecurity firm Emsisoft, posted on X, the platform formerly known as Twitter. Among the victims were government services provider Maximus Inc. and the Louisiana Office of Motor Vehicles, according to the firm. 

The eight-page report, submitted to the House Science, Space and Technology Committee, said hackers were able to obtain access to the data by exploiting vulnerability in the MOVEit file transfer program used by Westat Inc., a vendor OPM uses to administer what is known as Federal Employee Viewpoint Surveys. The report said there was “no indication” that any unauthorized user accessed any of the survey links. 

A spokesperson for Progress Software Corp., MOVEit's parent company, said it has taken steps to mitigate the impact of the cyberattack. In addition, the company said it empathizes with users who have been impacted and is committed to playing a collaborative role in an industrywide effort to combat cybercriminals.

A representative for Westat said the company conducted an extensive investigation and worked with third-party specialists to assess the security of relevant systems and to reduce the likelihood of a similar future incident.