The state of Illinois was among the victims of a cyberattack by a global ransomware group late last month that is believed to have exploited a vulnerability in a popular file transfer program, the state’s information technology agency announced Friday.
The FBI and the federal Cybersecurity and Infrastructure Security Agency have attributed the attack, which hit Illinois state government May 31, to a ransomware gang called CL0P, which exploited the popular MOVEit Transfer file-sharing software.
Other victims of the attack include the BBC, British Airways and Nova Scotia’s government, according to The Associated Press.
The attack on Illinois’ computer systems was contained within three hours, according to the state Department of Innovation and Technology. But spokeswoman Jennifer Jennings said the agency still is working to determine the extent of the intrusion.
“MOVEit is a file transfer utility used by many state agencies to transfer a variety of files,” Jennings said.
The department’s “current efforts are focused on determining an accurate population of impacted individuals for appropriate notifications,” she said.
The department “believes a large number of individuals could be impacted.”
The Russian CL0P ransomware syndicate announced on its dark web site late Tuesday that its victims — who it suggests number in the hundreds — had until June 14 to get in touch to negotiate a ransom or risk having sensitive stolen data dumped online.
“This is potentially one of the most significant breaches of recent years,” Brett Callow, an analyst at the cybersecurity firm Emsisoft, told the AP. “We’ll have a better sense of how significant it is as more details emerge about the number and type of organizations impacted.”
Ransomware is malicious software that infects a computer system. Those behind ransomware then demand money to allow the system to work properly again or threaten to post sensitive information online if they don’t receive payment.
CL0P claims it does not extort governments, cities or police agencies, the AP reported, but cybersecurity experts say that’s likely a tactic employed in an effort to avoid direct conflict with law enforcement, and that the financially motivated gang can’t be trusted to keep its promise to erase data stolen from those targets.
This is not the first time Illinois state government has been hit by a ransomware group.
In early 2021, the state attorney general’s office was infiltrated by another Russian cybergang. That attack came after an audit warned that “weaknesses in cybersecurity” potentially left sensitive information on the agency’s computer network “susceptible to cyberattacks and unauthorized disclosure.”
It took months for the office to get operations back to normal at a cost of more than $2.5 million, though Attorney General Kwame Raoul, who was elected to a second term in November, said his office did not pay a ransom.
The attorney general’s office was once again warned in an audit released last month that its “lack of adequate cybersecurity programs and practices could result in unidentified risk and vulnerabilities and ultimately lead to the office’s volumes of personal information being susceptible to cyber-attacks and unauthorized disclosure.” The review covered the two-year period that ended June 30, 2022.
Though it wasn’t a ransomware attack, a 2016 breach of the state’s voter registration database by Russian hackers compromised the personal data of 76,000 Illinois residents. The incident was detailed in special counsel Robert Mueller’s report on Russian interference in that year’s presidential election.
The Associated Press contributed.
A previous version of this story gave the incorrect name for Department of Innovation and Technology spokeswoman Jennifer Jennings.