“While the Justice Department is not aware of any specific reports of identity theft or other fraud resulting from this incident, the Department has ensured that those impacted have been offered fraud resolution services and credit monitoring,” Wyn Hornbuckle, a DOJ spokesperson, said in an email to FedScoop. “The investigation of this matter is ongoing.”

The response from the DOJ follows a public disclosure of the Boston-based consulting firm’s  breach last week on the Office of the Maine Attorney General’s website. According to that disclosure, first reported by TechCrunch, Greylock McKinnon Associates experienced a cyberattack in May 2023 that likely compromised Medicare information of 341,650 people, including their social security numbers. 

That information was obtained by the Justice Department “as part of a civil litigation matter” and given to the firm, which provides litigation support, in its “provision of services to the DOJ in support of that matter,” according to a letter GMA sent to people affected by the incident.

In that letter, GMA said it “detected unusual activity on our internal network” last May and “promptly took steps to mitigate the incident.” The firm said it worked with a third-party cybersecurity specialist in its response, notified DOJ and law enforcement, and in February, received confirmation of who was affected and their contact information. 

Hornbuckle said the firm notified the DOJ of the breach in May, “after which the Department required that Greylock identify those affected and immediately began its own process to address the breach.”

GMA could not be reached for comment. 

The post DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach appeared first on FedScoop.

According to CISA, “the team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs).”

The initial access was gained through spearphishing emails — also known as business email compromise (BEC) — which targeted specific users in the organization.

Security leaders from Proofpoint walked us through these report findings and detailed why identity-focused attacks remain the most vulnerable entry point to an organization, in a recent report, “Putting Federal Security Controls to the Test,” produced by Scoop News Group for FedScoop, and underwritten by Proofpoint.

“There are a lot of different ways threat actors can get that initial access [into a network],” shared Garrett Guinivan, solutions architect and threat analyst at Proofpoint. “And often what leaders don’t realize is the high number of threats coming in via email.”

Once an attacker has access, many organizations don’t have the tools to alert them that they are inside their environment. The danger here is that an attacker can maintain persistence in the network, gather information, escalate their privileges and move laterally across the network until they are ready to launch their attack.

Hanna Wong, director of public sector solutions at Proofpoint, added, “cyberthreat actors are getting more creative with their attacks on people and using modern tools to obfuscate their activity. So, it is incredibly important that federal leaders integrate security solutions that are impactful and take the agency beyond meeting minimal compliance.”

This is where establishing identity threat, detection and response (ITDR) practices can be helpful. ITDR focuses on detecting and preventing credentials and privilege account abuse from vulnerable identities in an organization. ITDR also deploys honeypots for early detection of an attack, giving defenders an edge in learning more about a threat actor’s techniques.

“ITDR platforms like Illusive, Proofpoint’s new acquisition, make it harder for an actor to move inside a network and provide an organization with both the visibility of risks that need to be remediated, in addition to providing alert mechanisms that make it harder for attackers to maintain a persistent presence or escalate their privileges,” explained Guinivan.

“Having accurate data of where your biggest threats are, and your true threat model, are ways we can help executives better understand where they need to invest their security resources,” he said.

Read the full report and learn more about integrating solutions that protect people and data from the latest cyberattacks.This article was produced by Scoop News Group for FedScoop and sponsored by Proofpoint.

The post Identity-focused attacks remain the most vulnerable entry point to an organization appeared first on FedScoop.

On Tuesday, a USMS spokesperson said the new version of the system would have improved IT security countermeasures and noted that most critical tools were restored within 30 days of the breach discovery.

“The data breach has not impacted the USMS’ overall ability to apprehend fugitives and conduct its investigative and other missions,” the spokesperson added.

Since the February ransomware attack, the Marshals Service has worked to recover the standalone IT system at the Department of Justice bureau.

Earlier this week, The Washington Post published a report that revealed fresh details about the incident, including that the cyberattack affected an isolated computer network used by a secretive unit known as the Technical Operations Group.

According to a mission summary included on an archived Obama administration website, the USMS Technical Operations Group “provides electronic surveillance; advises districts about appropriate surveillance techniques; assists in preparing court orders requesting electronic surveillance; and analyzes information obtained through electronic surveillance.”

Sources speaking to The Post said that the TOG’s computer system had been inoperative for 10 weeks and that the cellphones of those who worked within the hacked system were wiped with little advance notice on a Friday night.

In February, USMS confirmed that it was responding to a ransomware and data exfiltration event affecting a standalone IT system after details of the cyberattack were first reported by NBC.

According to the agency’s statement at the time, the breach was first discovered on Feb. 17 and was declared a major incident on Feb. 22.

The post Marshals Service working to redeploy IT system affected by ransomware attack appeared first on FedScoop.

In a statement to FedScoop the agency said it is aware of the incident and is working to gain additional information.

The agency added: “This is an isolated incident that has been contained. As this is an ongoing investigation the FBI does not have further comment to provide at this time.”

CNN first reported details of the cyber incident, which is understood to have primarily affected the agency’s New York Field Office.

Two sources briefed on the matter told the news organization that the incident involved an FBI computer system used in investigations of images of child sexual exploitation.

The FBI has been compromised in by other cyber incidents in the past couple of years, including a November 2021 cyberattack on its Law Enforcement Enterprise Portal which resulted in fake cyber alert emails being sent on the agency’s behalf.

The FBI said at the time that it took action to remediate the software vulnerability, warned partners to disregard the fake emails and confirmed the integrity of its networks. However, the bureau has yet to publicly name a suspect for that attack.

Speaking with FedScoop, Global Head of Professional Services at BlueVoyant and former FBI Crimes Against Children Coordinator in New York Austin Berglas said it was unlikely the incident would result in the disclosure of classified information.

He said: “The most likely scenario is dirty evidence with a virus from a child pornographer evaded the FBI’s malware detection tools and was uploaded to the forensic network of the FBI in New York.”

Berglas added: “But most importantly, if protocol was being followed then no classified or top secret info was effected by this apparent attack because there’s a strict procedures in place. The classified and top secret information is not connected to the forensic computer network that was affected by the incident.”

Editor’s note, 2/17/22: This story was updated to include comment from Austin Berglas.

The post FBI says cyber incident at New York Field Office ‘contained’ appeared first on FedScoop.