The Hunters International cybercrime group claims it has stolen over 380 gigabytes of data from the US Marshalls Service. The group posted details of the breach on its site on Monday. If not paid, it says it will publish documents on August 30th.

What is not known yet is how much money Hunters International is demanding to prevent publication. The breach creates a problem for the US, which has a clear policy of not paying any form of ransom, even for breaches. However, given the nature of the data taken, it may choose to take any action to prevent disclosure.

The Hunters International website lists some of the documents it has seized. It includes data from active cases, ongoing electronic surveillance, gang files, some of which are marked as top secret, and more. One group of documents is listed as belonging to Operation Turnbuckle.

That operation was reported by wgna, a US news service, as being a massive sting against a group dealing drugs in Albany, New York, back in April 2022. It resulted in 18 arrests and money and drugs being seized. The documents acquired by Hunters International will undoubtedly contain operational and other details of that operation.

Breach or no Breach?

Brady McCarron, Deputy Chief, Office of Public Affairs at the US Marshalls Service (Image Credit: LinkedIn)
Brady McCarron, Deputy Chief, Office of Public Affairs at the US Marshalls Service

The official statement sent to Enterprise Times by Brady McCarron, Deputy Chief, Office of Public Affairs at the US Marshalls Service, reads, USMS is aware of the allegations and has evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident.

This official statement is important because it is not the first time the US Marshalls Service has encountered ransomware. It suffered a previous attack in February 2023, which was initially reported to have been on a standalone system. Although that system was shut down, the disruption was said to have continued for months.

The New York Times later reported that the affected system contained data on active cases and employees. According to that coverage, data was taken from that system, but no further details were ever given. Similarly, no data was reported to have been published.

If there are two breaches, investigators will examine whether they are related. If so, did the cybercriminals leave a backdoor to regain access? Have they been sitting inside the US Marshalls Service for the last 18 months? If this is a new attack, what was the initial point of compromise? How was so much data exfiltrated and not noticed?

Returning to that statement, taking it at face value, this may be data related to that past breach. The Operation Turnbuckle reference before that previous breach means that the data could have been taken back then. If the data was more current, you might have expected Hunters International to have used a more recent operation.

Enterprise Times: What does this mean?

This is not the first time Hunters International has targeted the US Government. In December 2023, it successfully launched a ransomware attack on Austal US, a supplier to the US DoD. 

For now, all eyes will be on Friday to see what data is released. The big question at the moment is whether this is old or new data.

Ian Stretton, Director, Darkscope EMEA commented “If these alleged attacks are proved to be true, it shows how difficult it is to be totally vigilant when the world landscape is changing and evolving at such a rapid pace. 

“The tactic of trying to defend everything against everyone is being shown time and again to be an impossible activity, (akin to trying to hold back the tide on a beach), and that what is needed is a targeted approach to pinpoint the possible threats through cyber intelligence.

“This needs to be real time and dynamic, (it might be interesting to know there was a risk five years ago but this is unlikely to help stop an attack now).

“Doing this keeps the issue away from the subjective “who we think” might be our enemies to “who is likely” to be attacking us now and in the near future. It is unlikely you will be aware of everyone who is a threat.

It is like being a goalkeeper in football, if you are blindfolded, all you can do is react to what you think is around you and take your best guess.

“Remove the blindfold and you can see the whole game and what is coming your way and proactively react to the threat. Hopefully you end up with a clean sheet!”

LEAVE A REPLY

Please enter your comment!
Please enter your name here