The U.S. Marshals Service suffered a ransomware attack earlier this month where threat actors stole sensitive data, including the personally identifiable information of fugitives and some employees.
NBC News first reported the major breach Monday night, which was quickly followed up by additional media coverage. While USMS spokesperson Drew Wade, chief of the Office of Public Affairs, confirmed the ransomware attack and data exfiltration to multiple news outlets, including TechTarget Editorial, the agency did not release an official statement.
The incident continues trends TechTarget Editorial observed in January of ransomware attacks increasing against the public sector, though the USMS is one of the highest-profile government agencies to be victimized in some time.
Most significantly, Wade's statement confirmed that on Feb. 22, the USMS briefed senior Justice Department officials, who "determined that it constitutes a major incident."
Wade informed media outlets that the USMS first detected the ransomware and data exfiltration on Feb. 17, but the threat was limited to a "stand-alone USMS system" that was subsequently forced offline. An ongoing investigation revealed that the system contained sensitive law enforcement data including the personally identifiable information of fugitives, third parties and some employees.
In addition, it stored administrative information, though it's unclear exactly what that entails. Attackers are known to leverage stolen administrative credentials to gain initial system access.
On the other hand, attackers did not obtain all critical information during the attack. NBC News correspondent Tom Winter said on Twitter Monday night that a senior law enforcement official confirmed that the breach did not expose the Witness Security Program. It appears most of the stolen data pertained to agency investigations.
"The [Justice] Department's remediation efforts and criminal and forensic investigations are ongoing," Wade said in the statement. "We are working swiftly and effectively to mitigate any potential risks as a result of the incident."
As the forensic investigation is ongoing, questions remain around attack attribution, motive and the initial access point. Many ransomware groups that exfiltrate data post the information on public leak sites to pressure victims into paying. So far, there have been no reports of leaked USMS sensitive information or any ransomware group claiming responsibility for the attack.
Arielle Waldman is a Boston-based reporter covering enterprise security news.