‘Widespread’ breach let hackers steal employee data from FEMA and CBP

A “widespread cybersecurity incident” at the Federal Emergency Management Agency allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection, according to a screenshot of an incident overview presentation obtained by Nextgov/FCW.

The hack is also suspected to have later triggered the dismissal of two dozen Federal Emergency Management Agency technology employees announced late last month, according to internal meeting notes and a person familiar with the matter.

The initial compromise began June 22, when hackers accessed Citrix virtual desktop infrastructure inside FEMA using compromised login credentials. Data was exfiltrated from Region 6 servers, the image says. That FEMA region services Arkansas, Louisiana, New Mexico, Oklahoma and Texas, as well as nearly 70 tribal nations. 

Some of those states sit on the nation’s southern border. That region has long been a flashpoint in the Trump administration immigration policies, which have emphasized shoring up funding and resources for CBP.

DHS security operations staff were notified of the breach on July 7, the screenshot adds. On July 14, the unnamed threat actor used an account with high-level access and attempted to install virtual networking software that could allow them to extract information. Initial remediation steps were taken on July 16. 

On Sept. 5, additional remediation actions were taken, including changing FEMA Zscaler policies and blocking certain websites, the screenshot says. Those actions were previously reported by Nextgov/FCW.

An internal FEMA email dated August 18 previously obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.” It required password changes within two weeks of the email being sent. The email did not provide details about the security issues.

The FEMA IT staff firings were announced on Aug. 29, following a routine review of the agency’s systems, which uncovered a vulnerability “that allowed the threat actor to breach FEMA’s network and threaten the entire department and the nation as a whole,” the Department of Homeland Security said at the time. The terminations, announced by DHS Secretary Kristi Noem, also targeted FEMA’s top technology and cybersecurity officers. 

FEMA’s IT employees “resisted any efforts to fix the problem,” avoided scheduled inspections and “lied” to officials about the scope of the cyber vulnerabilities, DHS said when Noem first announced the staff terminations last month. “Failures included: an agency-wide lack of multi-factor authentication, use of prohibited legacy protocols, failing to fix known and critical vulnerabilities, and inadequate operational visibility,” DHS also said.

Citrix sells tools that help employees access workplace apps remotely. The suspected vulnerability, dubbed CitrixBleed 2.0, has previously allowed cyber intruders to circumvent multifactor authentication protocols, which check if a user is masquerading as someone else when accessing a system. 

The term “bleed” refers to the method by which hackers can compel susceptible devices to leak out memory content, allowing them to assemble specks of data and build out login credentials that can then be used to breach systems. 

This security exposure and its exploitation received extensive media coverage throughout July. DHS previously said the vulnerability that led to the firings was addressed before any sensitive data could be pilfered from FEMA networks. But DHS and FEMA’s IT office confirmed on Sept. 10 that data was pilfered from Region 6 servers via the Citrix vulnerability, the presentation says. 

Nextgov/FCW has asked DHS, FEMA and Citrix spokespeople for comment.

FEMA, like many government agencies, is a target-rich environment for hackers because it holds troves of sensitive data like disaster relief applications, insurance claims, disaster victim data and internal communications on emergency response plans. The agency also works with a wide range of private sector contractors.

Citrix failed to convey the full scale of the threat and how to address it, which left several IT staff hanging, according to some of the internal meeting notes. Staffing shortages observed before the second Trump administration only exacerbated the problem, the notes say.

A separate tranche of emails viewed by Nextgov/FCW shows that FEMA has been working to restructure much of its IT workforce after the firings. 

On Sept. 8, FEMA announced a temporary IT operational structure that named around a dozen acting officials in roles focused on technology, engineering, hosting services and security operations center management. That email was sent by Diego Lapiduz, named the acting Chief Information Officer of FEMA, after previous CIO Charles Armstrong was removed in the August firings.

Lapiduz issued another email on Sept. 12, which announced the addition of another site services official in the reporting structure.