US Marshals Service Denies Recent Breach
The US Marshals Service (USMS) has denied claims by the Hunters International ransomware gang that it was the victim of a recent cyberattack. The ransomware group listed the USMS as a new victim on its leak site on Monday, August 26, 2024.
“USMS is aware of the allegations and has evaluated the materials posted by individuals on the dark web, which do not appear to derive from any new or undisclosed incident,” a spokesperson told BleepingComputer.
While Hunters International has not yet released any allegedly stolen documents, they have included thumbnail screenshots of some files on the USMS entry as evidence of their claims.
Data Previously Sold on Russian Forum
However, the data published by Hunters International on their dark web data leak site is the same data that was put up for sale in March 2023 on a Russian-speaking hacking forum. A threat actor named “Tronic” claimed in 2023 that the stolen files contained sensitive information, including:
- Copies of passports and identification documents
- Aerial footage and photos of military bases and other high-security areas
- Details on wiretapping and surveillance of citizens
- Information on convicts, gang leaders, and cartels
- Files marked as SECRET or TOP SECRET
It is unclear if Tronic is now associated with Hunters International or if the ransomware gang purchased the data previously and is now trying to resell it.
USMS Confirmed Previous Cyberattacks
In February 2023, the USMS confirmed it was investigating the theft of sensitive law enforcement information after “a stand-alone USMS system” was impacted in a ransomware attack. “The affected system contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” USMS spokesperson Drew Wade said at the time.
The USMS also disclosed another data breach in May 2020 after it accidentally exposed the details of over 387,000 former and current inmates in a December 2019 incident. This included personally identifiable information like their names, dates of birth, home addresses, and social security numbers.
Hunters International: A Possible Hive Rebrand
Hunters International, the cybercrime gang that listed the USMS as a new victim on their leak site this week, is a ransomware operation that surfaced in late 2023. It has been flagged as a possible rebrand of Hive due to code similarities.
Notable victims claimed by this ransomware gang over the last year include:
- Japanese optics giant Hoya
- U.S. Navy contractor Austal USA
- Integris Health
- Fred Hutch Cancer Center (threatening to leak the stolen data of over 800,000 cancer patients)
Hunters International operators have targeted companies of all sizes, with ransom demands ranging between hundreds of thousands to millions of dollars, depending on the targeted organization’s size. Since the start of the year, they’ve claimed 157 attacks against various organizations worldwide, ranking it as one of the most active ransomware operations.