Over 600,000 Defense, Justice Department Employee Emails Hacked in Cyber Attack

New information is available about the scope of the MOVEit cyber-attack that hit the federal government and private organizations in May 2023.

Over 632,000 email addresses of Department of Defense (DOD) and Department of Justice (DOJ) employees were compromised by hackers in the attack, according to Bloomberg, which obtained the information through an Office of Personnel Management (OPM) report under a Freedom of Information Act (FOIA) request.

Until now, we did not know that DOD and DOJ employees were compromised, although other agencies such as the Department of Health and Human Services (HHS), the Department of Agriculture (USDA), and the General Services Administration (GSA), had disclosed they were impacted by the MOVEit breach. Federal cybersecurity officials had previously confirmed the attack but provided little information on the scope.

The hack occurred on May 28 and May 29, 2023, and was classified as a major incident. However, OPM said the exposed material was not classified and is “generally of low sensitivity.”

Hacked emails belonged to employees of various parts of DOD including the Air Force, the U.S. Army Corps of Engineers, the Office of the Secretary of Defense, and the Joint Staff.

A Russian hacking gang known as Clop is blamed for the incident, which impacted more than 2,500 organizations worldwide.

The OPM report said hackers were able to get access by exploiting a vulnerability in the MOVEit file transfer program owned by Progress Software. That program is used by Westat Inc., a vendor OPM uses to administer the Federal Employee Viewpoint Survey (FEVS).
The report found no indication the hackers accessed any of the survey links.

Weststat told Bloomberg that the company “worked with third-party specialists to assess the security of relevant systems and to reduce the likelihood of a similar future incident.”

Still, cyber experts warn that third-party software must be strictly monitored.
“It’s yet another example of how things can go south if we’re not on top of what third-party software we’re using and consistently staying up to date with vulnerability management,” Apona Security head of products Roger Neal told ClearanceJobs.

Congressional Action

This comes as cybersecurity and protecting sensitive information remains a key bipartisan issue in Congress.

Among the legislation, the Moving Americans Privacy Protection Act which advanced out of the House Ways & Means Committee after passing the Senate by unanimous consent.

The legislation requires U.S. Customs and Border Protection (CBP) to remove personally identifiable information (PII) such as social security and passport numbers from cargo manifests before public disclosure.  Currently, CBP must make all commercial manifest information available to data brokers.

This week, researchers at Duke University released a report finding data brokers frequently obtain and cheaply sell the personally identifying information of U.S. servicemembers.

“If researchers are able to purchase this, acting in ethical ways, subject to university ethics processes, it would be very easy for a foreign adversary to do so,” said Justin Sherman, a researcher at Duke who led the project, according to POLITICO. “The Russian intelligence services don’t have a ban on deception.”