US Marshals Service Hacked in ‘Major Incident’

Mario Tama/Getty Images

This is the second time the agency has been hacked in recent years, adding to a growing number of agencies that have experienced cybersecurity incidents.

The U.S. Marshals Service was hacked earlier this month, compromising sensitive information, an agency spokesperson confirmed Tuesday.

The Marshals Service is a division of the Justice Department responsible for protecting judges, transporting federal prisoners and operating the witness protection program. 

The incident was discovered on Feb. 17, when the agency found “a ransomware and data exfiltration event affecting a stand-alone USMS system,” which was then disconnected from the network, the spokesperson told Nextgov in an emailed statement. 

The breached system—which did not affect the witness protection database—contains “law enforcement sensitive information, including returns from legal process, administrative information and personally identifiable information pertaining to subjects of USMS investigations, third parties and certain USMS employees,” the spokesperson noted.

The Justice Department is investigating the incident, which was first reported by NBC on Monday. The investigation and remediation efforts are ongoing.

“We are working swiftly and effectively to mitigate any potential risks as a result of the incident,” the spokesperson added.

On Feb. 22, after being briefed on the matter, officials determined that the hack constituted a “major incident”—requiring the agency to notify Congress.

“The US Marshals data breach is another example of how cybercriminals aim for identities—the most common threat target,” Lior Yaari, CEO and co-founder of Grip Security told Nextgov in an emailed statement. “In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. We continue to see how the identity fabric is the new frontline, and defenders are racing against adept threat actors seeking to contaminate and compromise it. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes.” 

This is the second time the agency has experienced an attack in recent years. The Marshals Service was hacked towards the end of 2019—which came to light in May 2020—in an incident that exposed the personal information of approximately 387,000 prisoners. This prior hack impacted the DSNet system, which houses and transports prisoners within the agency, federal courts and Bureau of Prisons. 

Despite efforts like President Joe Biden’s May 2021 executive order to bolster national security, there is a growing list of agencies experiencing cybersecurity incidents, including the Office of Personnel Management, the Justice Department, the U.S. Agency for International Development and others, as well as other breaches impacting the commercial software purchased by various agencies.

“Last week the DOD confirmed that a server with sensitive information was left exposed to the internet for weeks. Shortly before the DOD incident we saw the FBI hacked by an adversary, and now the U.S. Marshals Service has suffered a major cybersecurity incident,” Eric Noonan, founder and CEO of CyberSheath told Nextgov in an email statement. “We need to be asking three simple and critical questions of our federal government agencies, especially as the government forces their suppliers, the hundreds of thousands of contractors who support these agencies, to meet mandatory cyber security minimum standards. First, what standard is the federal government aspiring to comply with? Second, where are they in their journey to get compliant with that standard? Finally, when will they be compliant with the chosen standard? Look, cybersecurity is complex but it’s not always hard. Pick a standard or set of cybersecurity best practices, work to implement that standard, measure your progress as you go. Basically that’s what President Biden’s executive order on cybersecurity called for and he was right, but it doesn’t look like we are making the progress we should be.”

“The real impact of an attack like this is the malicious use of data that the attackers collected,” Joel Bagnal, director of federal at SpyCloud, told Nextgov in a statement. “This data can have a lasting impact and cause damage far beyond the initial incident. Ransomware operators have become more sophisticated, and have started outsourcing parts of their campaigns, including access they’ve gained. Using malware to siphon credentials, system info and cookies, attackers can sell this information to ransomware syndicates to perform additional attacks.

Bagnal noted that according to “SpyCloud analysis of billions or recaptured data assets from the dark web in 2021 alone, .gov accounts had a 60% password reuse rate.”

That analysis also found that the most reused plaintext password was “password.” 

“To prevent further damage, individuals within a targeted organization should consider resetting passwords and invalidating sessions for critical workforce applications that could be compromised. This enables security teams to quickly remediate much more than the infected device, re-securing affected applications and closing entry points for additional ransomware attacks,” Bagnal said.