Hackers steal sensitive law enforcement data in a breach of the U.S. Marshals Service

The oldest U.S. federal law enforcement agency, the U.S. Marshals Service, has revealed it was the victim of a cyberattack last week in which hackers stole sensitive data.

According to a U.S. Marshals spokesperson, the "major incident" impacted a "standalone" computer system which contained records about targets of ongoing investigations, employee personal data and internal processes.

Importantly, according to the spokesperson, the system did not include personal details about people enrolled in the Federal Witness Protection Program, whose lives could be in danger if publicly exposed. The U.S. Marshals claim the system is not connected to the broader network, and was quickly shut down when the breach was discovered before turning the investigation over to the Department of Justice.

The Service said it learned about the attack on Feb. 17, when it discovered what it described as a ransomware attack in which the hackers were actively exfiltrating sensitive files. The breach was first reported by NBC News.

"The Department's remediation efforts and criminal forensic investigations are ongoing," a U.S. Marshals Service spokesperson wrote in an email. "We are working swiftly and effectively to mitigate any potential risks as a result of the incident."

The U.S. Marshals Service did not provide additional information about whether the attackers threatened to release stolen data if a ransom was not paid, or details on how the agency is accessing its records in a workaround following the breach.

If the attackers broke in and encrypted the files in what looked like a ransomware attack, but never demanded payment, it's possible there was never any financial motivation for stealing the information.

Government agencies are attractive targets for foreign espionage, and the FBI, another federal law enforcement agency, specifically recommends that ransoms not be paid. It is unlikely a savvy criminal ransomware gang would expect payment from the U.S. Marshals. However, some criminal groups seek out targets indiscriminately based on security vulnerabilities or opportunity.

If no ransom was demanded, that could speak to the potential hidden motivation. Nation-state adversaries including Iran and Russia have launched destructive attacks designed to look like ransomware in an effort to cover up efforts to steal intelligence or cause disruption in the past. Just recently, companies like Microsoft have tracked who they say are Russian military hackers launching what looked like ransomware attacks in Poland and Ukraine in an effort to gather intelligence and cause chaos.

The Justice Department is investigating the source of the breach, while the U.S. Marshals work on restoring service. They are currently using a workaround to access sensitive files including information about investigative targets, so as not to delay ongoing casework. However, it's unclear whether the Marshals were able to recover the files, or are accessing copies from a backup server or other computer system.

Finally, it's unclear whether the attackers are still considering whether to release the files that were stolen.