Particle.news
Download on the App Store
3 ARTICLES
·
2h ago

DHS Probe Finds FEMA Region 6 Breach Stole FEMA and CBP Employee Data

The finding follows DHS firings of FEMA IT leaders, prompting a rapid restructuring of the agency’s technology operations.

FEMA (Federal Emergency Management Agency) Headquarters is seen in Washington, DC, February 11, 2025. President Donald Trump launched a fresh attack Tuesday on the US federal disaster agency FEMA, calling for it to be shut down and its duties instead handed to individual states. (Photo by SAUL LOEB / AFP) (Photo by SAUL LOEB/AFP via Getty Images)
Image
An internal FEMA email dated Aug. 18 previously obtained by Nextgov/FCW ordered all agency employees to change their passwords “due to recent cybersecurity incidents and threats.”

Overview

  • An internal assessment says a hacker used Citrix remote access with compromised credentials to persist on FEMA networks from June 22 to August 5 and exfiltrated data from Region 6 servers.
  • The stolen information concerns employees of FEMA and U.S. Customs and Border Protection, and the attacker’s identity remains unknown.
  • On July 14 the intruder installed virtual networking software and obtained Microsoft Active Directory access to enable data extraction.
  • FEMA cut off Region 6 Citrix access on July 16, enforced multifactor authentication, ordered agencywide password changes on August 18, and adjusted Zscaler policies with site blocks on September 5.
  • Homeland Security Secretary Kristi Noem dismissed about two dozen FEMA IT officials and reorganized leadership after the breach, while investigators review a suspected Citrix vulnerability dubbed CitrixBleed 2.0.