A hacker gained access to the Federal Emergency Management Agency’s computer networks for several months e
arlier this year and stole information about FEMA and US Customs an
d Border Protection employees, according to an overview of the incident.
The Department of Homeland Security notified FEMA on July 7 that a hacker had gained access to its network th
rough Citrix Systems Inc.’s remote desktop software using compromised credentials, according to the summ
ary, which was reviewed by Bloomberg News. The intruder breached FEMA’s Region 6, which includes Arkansas, Loui
iana, New Mexico, Oklahoma and Texas, and the data was stolen from servers in the same region, according to the document.
The identity of the hacker wasn’t disclosed. The handling of the
breach prompted Homeland Security Secretary Kristi Noem to fire t
wo dozen FEMA employees, including multiple IT executives, according to a person familiar with the incident.
Representatives for FEMA, DHS and CBP didn’t immediately respond to requests for comment, nor did a spokespe
rson for Citrix. Details of the overview were previously reported by Nextgov/FCW.
See more beautiful photo albums Here >>>
On July 14, the hacker moved through FEMA’s networks and installed virtual private network software in an att
empt to remotely break into a database, according to the over
view. The hacker was successful in gaining access to Microsoft Corp.’s Active Directory, which is used by inf
ormation technology administrators to manage access control. From
there, the intruder stole information about employees at FEMA
and Customs and Border Protection, another component of DHS.
FEMA disconnected the Citrix remote access tool for Region 6 on July 1
6 and forced employees to use multifactor authentication, according to the summary.
The hacker was present in the network from June 22 until Aug. 5, the investigation found.
In an Aug. 29 statement detailing the firings, Noem said, “FEMA’s
career IT leadership failed on every level,” and she listed numerous exa
mples of what she called “incompetence,” including an “agencywide lack of multifactor authentication.” The fired officials haven’t responded to requests for comment.
Related: DHS Secretary Noem Fires Two Dozen at FEMA Citing Cyber Lapses
Noem said in the statement that “this problem was caught before any American citizens were directly impacted,” and “no sensitive data was extracted from any DHS networks.” DHS’s internal investigation later found that federal employee identity data had been successfully stolen, according to the overview.
On Thursday, US officials said hackers had compromised Cisco Systems Inc.s’ firewall devices within the US government. It’s not known which government agencies were affected by the attacks, or if the FEMA attack was in any way related.