Despite a fall off in ransomware attacks since last year, the U.S. Marshals Service on Monday disclosed that it suffered a “major” breach of its computer network on Feb. 17 that included a ransomware component.
Numerous recent cybersecurity reports suggest that ransomware is becoming less profitable for cybercriminals as more victims refuse to pay their attackers. But a wave of ongoing hack attacks continues to target businesses and government organizations.
U.S. Marshals Service spokesperson Drew Wade said in comments to news outlets on Monday, Feb. 27, that the agency received a ransomware demand and found a data exfiltration event that affected the agency’s stand-alone computer system.
According to Wade, the attack affected information involving sensitive law enforcement details, returns from legal processes, and administrative information. However, the ransomware failed to impact the Witness Security Program as the service disconnected computers from the network.
The attack also obtained personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees. The breach touched records about targets of ongoing investigations, employee personal data, and internal processes.
“The data exfiltration attack against the U.S. Marshals service serves as a sobering reminder of the far-reaching and devastating effects that cyberattacks can have on our most critical institutions,” Dimitri Nemirovsky, co-founder and COO of decentralized encryption key management firm Atakama, told TechNewsWorld.
“The theft of U.S. Marshal confidential data can compromise ongoing investigations, endanger the lives of law enforcement officers, and undermine public trust in our justice system,” he added.
Engaging Damage Control
The Marshals Service, a federal agency responsible for tracking down and capturing fugitives wanted by law enforcement, also is part of the U.S. Department of Justice. Besides its work with fugitives, the service provides security at federal courthouses nationwide, among other duties.
Government officials have yet to identify possible culprits in the cyberattack. But Marshals Service workers have reportedly created a workaround to maintain its internal activities and searches for fugitives.
The announcement of the US Marshals breach comes a week after the FBI said it “contained” a security incident on its network. It is the latest successful intrusion into government records amid ongoing hacking attempts into various levels of government and public institutions in the past several months.
For instance, the DOJ infiltrated and disrupted the Hive ransomware group in late January. According to news accounts, the group had targeted over 1,500 victims in more than 80 countries, extorting hundreds of millions of dollars in ransom payments.
“We must remain vigilant in our efforts to defend against these attacks and safeguard sensitive information to prevent it from being exposed,” offered Nemirovsky. “Implementing proactive, granular data protection measures to safeguard all confidential, sensitive, and personally identifiable information should not be an afterthought.”
U.S. government officials have been mum on details about the dynamics of the cyber breach. Other than confirming that a ransomware component was involved, insiders have not said whether the service received threats of divulging breached information or if a payment was demanded. Also unknown at this point is whether the attack involved encrypting files on the server.
“In today’s digital age, protecting sensitive files at the granular level is not just an option; it is a necessity,” observed Nemirovsky.
Unofficially, some cybersecurity workers suggested that ransomware threats are sometimes included as a ruse to mask other attack objectives. Among the list of unanswered questions is how the attackers succeeded in bypassing network security measures.
Heightened Investigation Needed
While we do not know yet the exact information these threat actors were able to exfiltrate from the U.S. Marshals Service, the ramifications could be significant, warned Darren Guccione, CEO and co-founder at Keeper Security.
“Based on the information we do have, the information stolen has the potential to compromise ongoing investigations, including witnesses and informants, put USMS employees in danger, and disrupt time-sensitive operations while the USMS recovers,” Guccione told TechNewsWorld.
Another significant ramification is the impact on public trust and confidence in the U.S. Marshals Service, he added.
A Case of Lessons Maybe Not Learned
This apparently quite serious breach again demonstrates that even the most vigilant entities are not immune from ransomware and other sophisticated attacks, according to Bryan Cunningham, Advisory Council Member at Theon Technology.
“As a victim of the Chinese hack of U.S. OPM security clearance files, it is infuriating that our government — or at least the USMS — has apparently not learned from its prior mistakes. It sounds like this data may not have even been encrypted,” he told TechNewsWorld.
Cunningham is certain the story will get worse as the incident is investigated. Almost all data-exfil/ransomware attacks result from poor training and security awareness, which is particularly disappointing in a U.S. law enforcement agency, he suggested.
“That said, it is not all that surprising as humans are fallible, and attacks are becoming ever more sophisticated. This reinforces the imperative of developing quantum-resistant encryption and much better security awareness training and enforcement. Someone needs to be held accountable here,” he advised.