The Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP) confirmed that the agencies experienced a “widespread” breach over the summer, which lasted several weeks. A still-unidentified hacker was able to gain access to sensitive employee data at the two agencies.
According to a report from NextGov/FCW, it led to an “urgent cleanup operation” led by Department of Homeland Security IT officials. The hacker gained access to a deep level within a FEMA computer network that oversees operations in “Region 6,” which encompasses parts of New Mexico, Texas, Oklahoma, and Louisiana, as well as nearly 70 tribal nations.
At least two dozen FEMA technology employees were dismissed from their posts.
The Hack – What We Know
The computer network was reportedly first compromised on June 22, with a hacker(s) successfully breaching the Citrix virtual infrastructure within FEMA by using compromised login credentials. The hacker(s) were able to access data from Region 6, which includes states on the U.S. southern border.
Cybersecurity teams within DHS were notified of the breach on July 7. A week later, on July 15, the threat actor gained high-level access via another compromised account and reportedly attempted to install virtual networking software that would have enabled the extraction of additional information.
On July 16, initial remediation effects were untaken. Further remediation took place on September 5, which included blocking certain websites.
Paul Bischoff, a consumer privacy advocate at Comparitech, told ClearanceJobs in an email that he suspected the hacker(s) exploited the CitrixBleed vulnerability in an unpatched version of the Citrix NetScaler software, which is commonly used for VPNs and other network gateways.
“CISA, which is also run by the federal government, issued guidance on how to avoid CitrixBleed in 2023,” Bischoff explained. “A breach that lasts several weeks usually implies that DHS failed to properly secure the data. If the data was left exposed to the internet for that long, then any number of hackers could have found and stolen it in that time.”
Response Times to Cyber Incidents
Cyber attacks, including those targeting U.S. agencies, are unfortunately not uncommon, but this one remains unique for several reasons, notably in how it occurred, as well as in its duration.
“This breach targeting both FEMA and Customs and Border Protection highlights the growing risk of lateral movement across interconnected federal systems, especially when regional network segments are left exposed, warned Ensar Seker, chief information security officer at threat intelligence and real-time cyber threat protection provider SOCRadar.
“A compromise that lasted ‘several weeks’ without detection suggests not just a failure of preventive security controls, but likely gaps in real-time monitoring and behavioral anomaly detection,” Seker told ClearanceJobs via an email. “The fact that the attacker gained deep access to a FEMA environment that supports critical emergency operations across several states is particularly alarming.”
Seker suggested that this is far more than just a data breach, describing it as a “breach of trust in systems that Americans rely on during disasters.”
The situation could have also been far worse.
“If the attacker maintained persistence long enough to pivot laterally, they could have exfiltrated sensitive employee PII, internal operational planning data, and potentially even response coordination protocols, all of which could be weaponized in future incidents,” Seker continued.
Identifying the Threat Actor
It isn’t just the length of the breach and the failure to act that should be seen as a significant concern, but the fact that no threat actor has been named.
“The big questions we should be asking now are if it’s possible that more than one unauthorized party accessed the data, whether any of them were state-sponsored or political actors, and what data was stolen,” said Bischoff.
“What makes this more concerning is that no threat actor has been named yet,” added Seker. “The longer attribution remains unclear, the greater the uncertainty for federal employees, partners, and the public. The incident underscores the urgency for agencies like DHS to implement more robust Zero Trust architectures, extend attack surface visibility into traditionally siloed regional environments, and continuously audit access paths, especially for hybrid or legacy systems.”
There has been a rise in state-linked threat actors exploiting weakly segmented infrastructure and federated identities across agencies.
“This breach is a textbook case of why cybersecurity shouldn’t be managed in operational silos,” Seker suggested. “For federal agencies, the stakes aren’t just reputational or financial. They’re national security.”
