The U.S. Department of State is offering a reward of up to $10 million for information that links the recent attacks by the Clop ransomware group to a foreign government. The reward is also being offered for information about any other malicious cyber actors that are targeting US critical infrastructure that links their attacks to a foreign government.
The Clop ransomware group is a Russian-speaking organized criminal group that has conducted thousands of attacks on organizations around the globe, many of which are located in the United States. The group operates under the ransomware-as-a-service model, where affiliates are hired to conduct attacks for a percentage of any profits the attacks generate. The group uses ransomware to encrypt files and demands payment for the keys to decrypt data and engages in double-extortion tactics, where sensitive data is stolen prior to file encryption and threats are issued to publish the stolen data on its data leak site if the ransom is not paid. Some attacks linked to the group, such the those that exploited zero-day vulnerabilities in the Accellion FTA, GoAnywhere MFT, andMOVEit Transfer file transfer solutions were extortion only, where ransomware was not used.
The group is believed to be financially motivated and operates out of Russia. The group’s activities are thought to be tolerated by the Russian government, provided attacks are never conducted within Russia or the Commonwealth of Independent States. The reward is concerned with finding out any information that proves that the group is acting under the direction of a foreign government, be that Russia or another country. The distinction between cybercriminal groups and state-sponsored hacking groups is not always clear.
The latest attacks that exploited the vulnerability in MOVEit Transfer from Progress Software are believed to have given the group access to the data of hundreds of companies. Last week, the group started listing victims on its data leak site to pressure them into paying the ransom. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently confirmed that several federal agencies had data compromised in these attacks, including the Department of Energy. Clop has claimed that it will delete any data that has been stolen from government agencies, but it is unclear to what extent, if any, the group follows through with that promise.
The reward is being issued under the Department of State’s Rewards for Justice (RFJ) program, which provides financial incentives to encourage individuals to disclose information about any actors that conduct attacks that threaten national security. Last week, CISA Director, Jen Easterly, said the MOVEit attacks appear to have been opportunistic and did not focus on any high-value information, and are not of the same ilk as the SolarWinds campaign. She also said that CISA has not been provided with evidence that links the attacks to the Russian government. If there is such a link, the Department of State hopes the sizeable reward will be sufficient to convince people to speak up, including on whether any data stolen from federal agencies has been passed to a foreign government, even if the attacks themselves were not conducted with state involvement.
A Tor SecureDrop server has been set up to allow information to be securely shared.