Data breach hits US Marshals Service.

A data breach that could be ransomware-related has been reported at the US Marshals Service (USMS). Witness Protection Program data are said to be safe, but some data of those under investigation, as well as data pertaining to USMS employees, are believed to have been compromised, NBC News Correspondent Tom Winter shared in a tweet thread yesterday evening.

USMS identifies the attack as ransomware.

NBC News yesterday evening broke the news of the breach. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” said Drew Wade, a Marshals Service spokesperson. The February 17 discovery of what Wade calls “a ransomware and data exfiltration event affecting a stand-alone USMS system,” led to the disconnect of the affected system from the network. The USMS is actively investigating the attack as a “major incident,” Bleeping Computer writes. Justice Department officials were briefed last Wednesday. The breach is said to have left the Witness Security Program, better known as the Witness Protection Program, untouched, USA Today reported in an update this morning.

An attack reminiscent of a 2020 USMS breach, and identities seem to have been targets.

Bleeping Computer shares that this breach follows the disclosure in May 2020 of a breach that also impacted the USMS. That breach saw the compromise of some personally identifiable information (PII) of 387,000 former and current inmates that occurred in December 2019. TechCrunch reported at the time of the incident that the information shared included “name, address, date of birth and Social Security number, which can be used for identity fraud.”

Lior Yaari, CEO and Co-Founder of Grip Security, discusses the cybercriminal desire to target identities and the risks that a compromised identity poses:

“The US Marshals data breach is another example of how cybercriminals aim for identities — the most common threat target. In this case, attackers were able to exfiltrate and add to the identity fabric for individuals in the USMS system, including prisoners. We continue to see how the identity fabric is the new frontline, and defenders are racing against adept threat actors seeking to contaminate and compromise it. Compromised identities give cybercriminals an embedded position in identity fabric, thereby extending their presence anywhere and everywhere the identity goes.”

“As the investigation unfolds, we may discover the motive (which could vary). But whoever it was and whatever their motives, we can see their target — identities, and with them, the power to go anywhere.” 

The pervasive nature of ransomware and its implications.

Jon Miller, Chief Executive and Co-Founder of Halcyon, discusses the pervasive nature of ransomware attacks, noting that an underlying issue is the amount of time they were within the USMS systems:

“The recent USMS attack proves that no one is immune from being the victim of a ransomware attack. It's admirable they disclosed the attack to be transparent. At this time, very little information is available regarding the full scope and impact of the attack, and it will likely be a while before the investigation is complete. It is important to note they are only 10 days into an incident response on an event authorities are calling a 'major incident.' Further investigation may reveal that the attack was more widespread, occurred over an extended period, or exposed more sensitive information than initially thought. That's just the nature of an IR at this scale. It could be months before we know for sure.

“While the notion that a major US LEO agency was hit with ransomware is alarming, the real issue here is that we don't know how long the attackers have been in the system(s) before they decided to drop the ransomware payload. However, we know they were in the system(s) long enough to gain access to sensitive information and exfiltrate it, presumably to be leveraged in a double extortion scheme as added leverage to force payment of the ransom demand. Even if a ransom is paid, there is no guarantee the attackers would honor any agreement to not expose the data, or worse, that it would be used in other attacks. Not to mention, if the attackers were in the USMS network for an extended period and stole large amounts of data, they likely have established persistence, have elevated privileges and have deployed additional malware beyond just the ransomware payload reported. Thus, it could be difficult to kick them out of the infected systems quickly. Furthermore, there is also the possibility that the ransomware attack itself is a distraction to divert attention from the "real attack," where ransoming data and systems is not the actual objective of the attackers.

“The worst-case scenario is that all of the above is in play: quick cash in a ransomware attack, diverting attention and resources while continuing to expand the attack, exfiltrating more sensitive data to be monetized, and moving deeper into the network or spreading to other systems. This is often the case with more complex, multi-staged ransomware operations - or RansomOps - where there are weeks to months of detectable attacker activity on the targeted network before the ransomware payload is delivered.

“This spotlights why organizations cannot only focus on the detection/prevention side of the cyberattack equation. They must also implement the necessary requirements to be truly resilient, providing the confidence that even when an attack like this is successful, the organization is ready and able to respond quickly and decisively to ensure that any potential disruption to operations is kept to an acceptable minimum. A robust defense is key, but resilience is how we will win the battle and remove the economic incentive for further ransomware attacks.”

(Added, 11:00 PM ET, February 29th, 2023. Industry experts have offered additional comment on the US Marshals Service incident.

Nick Tausek, Lead Security Automation Architect at Swimlane, wrote to explain the implications of classifying the attack as a major incident:

"The U.S. Marshals Service is looking into a significant ransomware attack that exposed some of its most private data, including materials used in law enforcement and the personal information of staff members who could become the subject of federal investigations. Deemed a 'major incident' by officials, the attack allowed hackers to access employee information, information on wanted fugitives and information regarding unidentified third parties.

"According to U.S. policy, 'major incidents' are regarded as 'significant cyber incidents' that have the potential to do tangible harm to the economy, national security, or civil liberties of the United States, as well as to public trust and safety. These incidents are required to be reported to Congress within seven days. 

"Although the U.S. Marshals Service has created a quick fix to continue investigations into fugitives in the midst of the attack, routine operations are sure to be hindered. Government agencies and the federal justice system continue to be hot targets for cybercriminals due to the classification of sensitive information stored by their systems and the negative repercussions coming out of such an attack that could more easily sway officials to pay high ransom. 

"This attack comes as the Biden administration attempts to shore up the nation's cybersecurity posture, as they are poised to release their new National Cyber Strategy document (the first time in 15 years such a document has been published by the White House). This upcoming blueprint for the nation's cybersecurity will recommend and outline possible regulations to decrease risk across key industries, especially those that service the federal government, and will be the first National Cyber Strategy to recommend a regulatory approach.

"To prevent and eliminate the chances of a targeted cyberattack such as the one on the U.S. Marshals Service, organizations must be staying on top of their cybersecurity strategy. Leveraging a low-code security automation platform that goes beyond just doing the work, but automates that work as well to minimize the chances of error by human involvement as well, is the first step in achieving a robust cybersecurity ecosystem. These platforms allow full visibility into IT environments, ensuring the highest level of protection over valuable human information and alerts in real-time to assist in thwarting any potential threats.

Eric O’Neill, National Security Strategist, at VMware, points to signs that the breach may have been traceable to a misconfiguration, and discusses the potential implications of the data exposure. “The recent attack on The U.S. Marshals Service is concerning for a few reasons. First, it appears that the attack was isolated to a single local system, which suggests that the attacker exploited a vulnerability or misconfiguration. My second concern is that the attacker may have 'ways and means' information that will assist the attacker or other criminal and espionage threat actors in understanding how the Marshals conduct investigations, process detainees, and other sensitive information. This can provide savvy criminals an opportunity to understand the Marshal service tactics and procedures.

"While the Marshals claim that no information from their 'holy grail' of data - the witness protection program - was compromised, they do admit to the theft of personal information regarding investigations and employee data. As a former undercover operative, this is very concerning to me. Identities of US Agents can compromise their safety, particularly when linked to certain investigations. Furthermore, if some of this information relates to confidential informants, that can possibly undermine current investigations, place individuals in danger and help criminals escape the hand of Justice.”

Jeannie Warner, director of product marketing at Exabeam, writes that the goal of ransomware is often data theft.

"This incident illustrates how ransomware is often a means to the end of what adversaries want the most: data. Fortunately, the federal government acted quickly to isolate the affected system from the rest of the network before the threat actors had the chance to move laterally and do more damage. 

"Organizations continue to have a diluted perspective on ransomware. There is enough out there on what it is, how it works, and a massive push to "stop" it, but we never solved the foundational problems that make it possible. Ransomware is a combination of insufficiently hardened systems and a missed intrusion period. The attacks are only possible because of a weakness in an environment that begins with or later involves compromised credentials. If you unsuccessfully manage your environment hardening and intrusions, you will eventually fall victim to ransomware.

Warner offers some reasons for the prevalence of ransomware.

"Easy targets are ones that lack sophisticated defenses and monitoring – places with budget battles like state agencies, LEO, and education. And it’s highly profitable. There’s incentive to run ransomware for multiple reasons:

1. "The ransom (often demanded in bitcoin these days to remove tracing to the destination)
2. "It is the ultimate DOS attack
3. "Harvesting data from the systems before locking them – then selling or using the data

"Many agencies have not yet invested in the credential-protecting and monitoring software that could slow or stop attacks. Without patching these core vulnerabilities and setting up monitoring properly, it’s very hard to break the cycle of compromise.

1. "Organizations lack budgets and don’t focus on credential behavior detection/protection software
2. "Ransomware software is becoming easy to use – there are literally videos showing a would-be threat actor what to do
3. "Ransomware “detects itself,” so the reported numbers will only increase.”

Julie Davila, Sophos Field CTO, Federal, observes that even as hard a target as a U.S. Justice Department agency presents can, with skill, persistence, and opportunity, be breached.:

“The Department of Justice generally has a very mature cybersecurity posture relative to federal government averages, and has one of the best resourced cybersecurity programs in the federal space. However, as with any organization, there isn’t going to be perfect security. If we read between the lines, it seems a singular standalone system was impacted, and it was quickly isolated. Something that makes the US Marshal’s department look good (from an Incident Response context) is that it was able to go public within two weeks about the attack; often agencies don’t mention breaches for many months especially in the defense industrial base (DIB) due to long investigation cycles.

“Ransomware is something that is often associated with small to medium sized and less sophisticated enterprise organizations; cybercriminals are typically not targeting federal agencies with ransomware. However, even large, high security organizations like the US Marshals, a Department of Justice component, are under threat.”

“In general, Sophos continues to react to and remediate significant ransomware activity around the world. We don’t expect ransomware attacks to materially slow soon. They will become more intricate, harder to detect, and require layered security, including perimeter endpoint protection and “eyes of glass” to detect network anomalies in order to respond and ultimately stop active attackers with a ransomware endgame in mind.”  

Jason Kent, Hacker in Residence, Cequence Security, offers a similar observation: if it happened to the Marshals Service, it can happen to essentially anyone.

"Illustrating that no one is safe, even the U.S. Marshals, ransomware rises up again. Now many of us have gotten used to ransomware being a virus that simply encrypts your data until you pay to have the keys to decrypt (or likely pay and never get the keys) and recover. Here we see that the attackers are looking for damaging data and exfiltrating it for off-site storage. This means they are now in control of this data, something that we often forget, and can now sell it on the open market. These data exfiltration channels are often very hard to find and most organizations are unable to look at data flowing out of their organization for data loss due to the attackers encrypting it on the way out."

Jan Lovmand, CTO at BullWall, describes some of the operational implications of the attack:

“Even organizations with extensive resources and expertise fall victim to ransomware attacks. The U.S. Marshals Service (USMS) is responsible for catching fugitives and handling federal prisons in the US and has all the resources of the US government at their disposal. Not unlike the cyber attack on the FBI’s New York Field Office last week, they are a high government profile target and not immune to determined malicious hackers. 

“In addition to the theft of highly sensitive information, these ransomware attacks can cause significant operational disruption. The U.S. Marshals Service's system contained sensitive information, including returns from legal processes, administrative information, and PII of USMS employees and subjects of investigations. 

“Containment and after-action strategies are crucial for all organizations to mitigate the risks associated with ransomware attacks. Organizations must have a response plan in place to contain the attack, preventing further damage, as well as a strategy for recovery and restoration of data and systems. These plans should be regularly updated and tested to ensure their effectiveness.”

Javvad Malik, lead awareness advocate at KnowBe4, sees the incident as a good example of a persistent attack in which the threat actor gradually increased its hold on the victim's network. “This attack is a textbook persistent attack where the attackers increased their foothold in stages and without rushing the process. This is why even minor breaches should not be overlooked. Many times we see statements from organizations which have suffered a breach downplaying the incident and stating that no financial data was stolen. But no incident should be considered small and should be thoroughly investigated to ensure that any stolen information cannot be used to launch further targeted attacks.")

(Added, 9:45 AM ET, March 1st, 2023. Steve Stone, head of Rubrik Zero Labs, wrote about some lessons in resiliency that might be learned from the incident. “The recent cyber attack on the United States Marshals Service (USMS) is another example of a 'not if, but when' scenario. According to the Rubrik Zero Labs "State of Data Security" report, nearly all (98%) organizations experienced a cyber attack in the last year. We're thankful that USMS placed the witness protection material in a different location than that impacted by the breach earlier this month - rendering it immune to this event. That's resiliency 101 - and that's how we'll continue to come out ahead against these detrimental intrusions.”)

(Added, 3:45 PM ET, March 1st, 2023. James Graham, vice president at RiskLens. offers the dispiriting argument that, bad as ransomware is in its effects on a business, it can be even worse when it hits a government organization. "For a commercial entity, a ransomware event is catastrophic, but for a government agency (and especially a law enforcement agency) it can be even worse. In addition to quantifiable costs like response, recovery and potentially fines based on the exposure of data, a government data breach can erode public confidence and trust, a cost potentially far greater than any other," Graham writes. "This incident is another salient example highlighting the critical importance of understanding cyber risk. Organizations in all sectors, and especially government agencies, should operate under a solid understanding of where their cyber risk lies to effectively bolster defenses and prepare themselves for potential loss.")

(Added, 5:45 AM ET, March 2nd, 2023. Terry Olaes, Product Marketing Manager at Skybox Security, takes a quick look at the incident as showing the back-and-forth between law enforcement and gangland. "This recent ransomware attack on the U.S. Marshal Services has affected a computer system containing sensitive law enforcement information. The breach has been classified as a 'Major' incident, which according to U.S. policy means it is a significant cyber incident deemed likely to result in demonstrable harm to U.S. national security, foreign relations, the economy, or the public health and safety of the American people," Olaes said. "This major security incident happened just one month after the U.S. Department of Justice’s seizure of the Hive ransomware gang that received over $100 million in ransom payments from more than 1,500 victims. These malicious cyber incidents affecting US federal law enforcement agencies emphasize the importance of adopting a proactive approach to network segmentation validation and vulnerability management. Prioritizing network accessibility, exposure, exploitability and commercial effect are all necessary steps to ensure the entire threat landscape is evaluated. Developing exposure-based risk scores can significantly increase the efficacy and improve resilience of vulnerability management programs by helping to prioritize the urgency of vulnerability mitigation.")