John Hopkins confirms MOVEit breach

Johns Hopkins University and Johns Hopkins Health System have confirmed that their systems were affected by a “broad-based cybersecurity attack.”

The prestigious Johns Hopkins University (JHU) and Johns Hopkins Health System (JHHS) have confirmed that both organizations fell victim to the MOVEit Transfer attacks, carried out by Russia-linked ransomware syndicate Cl0p.

“This attack has impacted many large organizations and industries around the world. At Johns Hopkins, we took immediate steps to secure our systems and are working closely with cybersecurity experts and law enforcement,” reads the statement shared with Cybernews.

MOVEit Transfer is a managed file transfer software. The now-patched zero-day bug affected MOVEit Transfer’s servers, allowing attackers to access and download the data stored there.

JHU blog
JHU listed on Cl0p's dark web blog. Image by Cybernews.

John Hopkins did not share what type of data the attackers might have accessed. And even though JHU was posted on the crooks’ dark web blog used to showcase their latest victims, Cl0p didn’t reveal the data they managed to capture either.

“The privacy and security of Johns Hopkins community members and our patients is our highest priority, and we are actively in the process of communicating with impacted individuals,” JHU said.

Both JHU and JHHS advised customers to monitor their accounts for irregular activity, consider placing fraud alerts or credit freezes, update online accounts, and be wary of suspicious emails or other communications.

JHU is a private research university, a leader in the US in annual research & development expenditure. Nearly 40 Nobel laureates have been affiliated with the school.

Meanwhile, JHHS is an academically based health system comprising nine organizations, including the Johns Hopkins Hospital, Howard County General Hospital, and Johns Hopkins Medical Management Corporation.

Why is the MOVEit zero-day important?

The Cl0p ransomware gang has taken credit for exploiting the MOVEit zero-day bug. They claim to have breached hundreds of companies in the process. Experts we’ve spoken to say that around 3,000 deployments of the MOVEit application were active when the flaw was first discovered.

So far, over 200 organizations have fallen victim to the attack, with the estimated number of exposed people exceeding 17 million.

Cl0p has been posting victims’ names on their dark web leak site since June 14th, including Shell Global, Telos, Deutsche Bank, Radisson, and others. The extent of the exposed data depends on how a certain company uses the file transfer system.

Cl0p operates under the Ransomware-as-a-Service (RaaS) mode, which means that it rents the software to affiliates for a pre-agreed cut of the ransom payment.

The gang employs the “double-extortion” technique of stealing and encrypting victim data, refusing to restore access, and publishing exfiltrated data into its data leak site if the ransom is not paid.