The mission of the U.S. Marshals Service (USMS) is “to enforce federal laws and provide support to virtually all elements of the federal justice system” through multiple disciplines. Its law enforcement (LE) focus, reach and scope make this week’s report of a recent cyberattack involving both ransomware and data exfiltration especially concerning.
While this news is fresh, and the incident ongoing, it’s a good time for us all to reflect on why LE entities can be especially attractive targets to bad actors. As with all important things in life, it always pays off to understand motivations and incentives, and how they can drive behaviors and actions.
Low-hanging fruit of outdated operational technology. It’s no surprise that many organizations operating as part of a government may not quite be up-to-date on the latest operating systems or other essential infrastructure; this includes some LE environments across all jurisdictional levels (federal, state, local and tribal). As recently as six years ago, it was still possible to find police departments in the US and the UK still running Windows XP, which was at that time years past its final support date. Whether the presence of aged technology is due to budgets or bureaucracies, threat actors realize this can be a weak spot for some LE entities and may focus their efforts accordingly.
Playing the short game for immediate and intentional impact/damage. This is the classic double-barreled “we’ve encrypted your files, we’ll release that data publicly” ransomware plus extortion approach. When those extortion demands focus on releasing personally sensitive information, extortion can mutate into doxing. Doxing is an especially dangerous step when it comes to LE, as the Washington, DC police experienced a few years ago, where the bad actor threatened to share confidential informant-related information with local gangs. Other local police departments have seen extremely sensitive information exfiltrated and leaked for the purpose of intimidation, such as home addresses and other family information relating to LE officers and other government personnel.
Playing the longer strategic game, laying the groundwork for future action. Threat actors, especially those working with or on behalf of a nation-state, realize that the most consequential data can often be biometric data, as this is identifying information that is all but impossible to change. Fingerprint sets representing more than five million people were stolen as part of the U.S. Office of Personnel Management (OPM) breach, which surely included LE-focused employees and contractors embedded throughout hundreds of US federal agencies. And what about fingerprint and other biometric data which may be held directly by LE regarding both employees and criminals? Fingerprints are a prize that can be leveraged not just for today but for decades to come, especially for a patient, persistent and well-funded nation-state adversary.
Deliberately breaking the evidentiary chain of custody. This angle is an especially strategic option. Even where there may be no identified data exfiltration from a LE target, a clever defense attorney can consider arguing that digital evidence, once encrypted via ransomware, is no longer safely within a defined and legally sound chain of custody. After all, the data is effectively under the control of the threat actor at that stage. Could this break in the evidentiary chain of custody completely derail an open investigation or even a trial?
Other more ego-driven possibilities: Carrying out a successful and highly publicized attack against LE bestows bragging rights, burnishes the threat actor’s “street cred” among peers, and stirs up notoriety. From their perspective, it’s great advertising! Or consider drivers such as retaliation, revenge, or retribution as a response to prior LE actions. Who better to attack than someone, or some organization, who has directly and negatively impacted that threat actor in the past?
We don’t yet know which, if any, of the above motivations are in play here. But we can expect things to become clearer over time.
One final thought, as we all continue to watch this incident and its aftermath play out: one of the hardest things to accomplish for an organization impacted by a serious cyberattack is to provide status updates while the incident is still playing out. Communicating externally and effectively before all the facts are known can be a real tightrope, and uncomfortable for even the most media-savvy organizations.
USMS has walked that careful path successfully thus far, delivering a high-level timeline of the facts as they are currently known, and providing context about the scope and impact of the attack. This is the best way to demonstrate there is a plan of action as the investigation and remediation proceeds. And it’s also an essential demonstration of respect for the public and its need to know. Overall, a good balancing act at this early stage.