10977218692?profile=RESIZE_400xThe US Marshals Service (USMS) is investigating a major ransomware attack that has compromised some of its most sensitive information, including law enforcement materials, and the personal information of employees and potential targets of federal investigations.  The cyberattack was considered a "major incident" by officials, impacting a "stand-alone" system (meaning it is not connected to a larger federal network) within the service, an agency spokesperson said Monday.  The attack was discovered on 17 February.  "Shortly after that discovery, the USMS disconnected the affected system, and the US Department of Justice (DOJ) initiated a forensic investigation," said a spokesperson for the US Marshals Service.

The USMS is a bureau within the DOJ, operating under the direction of the Attorney General, but serves as the enforcement arm of the US federal courts to ensure the effective operation of the judiciary and integrity of the Constitution.  It is the oldest US federal law enforcement agency, created by the Judiciary Act of 1789 during the presidency of George Washington as the "Office of the United States Marshal.”  The USMS as it stands today was established in 1969 to provide guidance and assistance to US Marshals throughout the federal judicial districts.

According to the USMS, cybercriminals were able to obtain administrative data, like personal information of certain employees, and about wanted fugitives, as well as information on unidentified third parties.  The affected system also contained sensitive law enforcement information, including about ongoing legal procedures.

Officials at the Department of Justice, which oversees the USMS, deemed the cyber breach a "major incident" on 22 February, following a briefing by the Marshals Service.

Under US policy, all "major incidents" are considered to be "significant cyber incidents" deemed likely to result in demonstrable harm to US national security, foreign relations or the economy, or to the public confidence, civil liberties, or the public health and safety of the American people. Federal agencies are required to report "major incidents" to Congress within seven days of identification.

The DOJ’s remediation efforts, as well as its criminal and forensic investigation, remain ongoing.  "We are working swiftly and effectively to mitigate any potential risks as a result of the incident," the USMS said.

The agency has created a workaround to continue its investigations into fugitives amid the breach, a US official tells media sources. 

The breach revelation happened on the same day that the US CISA Director warned that cyber intrusions "can do real damage to our nation—leading to theft of our intellectual property and personal information."

The Biden administration is poised to release its National Cyber Strategy as soon as this week.  The cybersecurity blueprint will be the first of its kind published in more than 15 years.  The forthcoming strategy, led by the National Cyber Director's office in the White House, will go beyond voluntary measures to recommend regulations designed to fill in national security gaps in the wake of massive breaches, including the 2020 SolarWinds hack, a Russian-linked attack spreading across 18,000 government and private computer networks.

Last month, the FBI toppled an international ransomware group after more than a year of spying on cybercriminals from inside the network.  The criminal enterprise, known as Hive, targeted more than 1,500 institutions in over 80 countries since June 2021, amassing more than $100 million from its victims, according to the DOJ. 


Hive's attack on a Midwestern hospital disrupted care in the midst of the COVID-19 pandemic and forced institutions to pay a ransom before they could treat their patients online.  "No matter where you are, and no matter how much you try to twist and turn to cover your tracks – your infrastructure, your criminal associates, your money, and your liberty are all at risk," the FBI Director said last month.  Federal investigators like within the FBI continue to urge all potential victims of ransomware attacks to not pay the demanded price for their freedom, but contact law enforcement.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or             

Weekly Cyber Intelligence Briefings:

  • Reporting: https://www. redskyalliance. org/   
  • Website: https://www. wapacklabs. com/  
  • LinkedIn: https://www. linkedin. com/company/64265941   

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings  


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!