The big picture: The US government has had a bad run of cybersecurity-related incidents over the last couple of weeks. In the span of 12 days, officials from the FBI, DoD, and USMS have confirmed one data leak caused by human error and two separate attacks against government systems. So far, investigators have either not found any suspects or are keeping the lid on what they have discovered.
On Monday, the US Marshals Service (USMS) announced that hackers had infected its systems with ransomware. The security breach exposed a cache of data, including personally identifiable information (PII) of USMS employees. Officials say the attack was isolated to one “stand-alone” system, which is now offline. The attack has not caused an interruption in operations.
“The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” spokesman Drew Wade told NBC News.
The incident occurred on February 17. Senior Justice Department officials have labeled it a “major” attack. An ongoing forensics investigation is in full swing, but little is known about the event. Officials at the DoJ and USMS have not named any suspects nor the ransom demands.
However, they did mention that the attack did not involve the Witness Security Program database and assures everyone that nobody in witness protection is in danger. The downed system primarily contained information on current investigations, but the USMS has developed a “workaround” to continue operations without the infected system.
The attack happened suspiciously close to another hack against federal law enforcement computers. On the same day of the USMS incident, the FBI announced it had “contained” a cybersecurity event on its systems.
Bureau officials were tight-lipped on information regarding the attack. It refrained from commenting on what systems were affected, possible suspects, or the damage caused. However, anonymous sources briefed on the incident told CNN that the breach involved the FBI’s child sexual abuse material (CSAM) system at a “high-profile” field office in New York. Officials are still investigating the attack’s origin, but it doesn’t appear that it involved ransomware. An official FBI spokesperson claimed that it was an “isolated incident.”
As if that were not enough, the Department of Defense suffered a data leak last week thanks to a misconfigured email server. The system was hosted on a Microsoft Azure account reserved for DoD personnel and isolated from civilian servers. The exposed emails contained “sensitive but not classified” information.
One example was a completed SF-86 form, which is used to apply for classified security clearance. This type of document contains PII and other sensitive information that could be useful to foreign adversaries.
The wide-open server was spotted by a security researcher and reported to the DoD. Administrators immediately reconfigured the server. As far as anybody knows, no one but the security researcher accessed the data in the few weeks that it was exposed.