Privacy News Hackers breached DHS information-sharing network, people familiar say

Brownie2019

Level 23
Thread author
Verified
Well-known
Forum Veteran
Mar 9, 2019
1,058
5,427
2,168
Germany

The Homeland Security Information Network is used by government, international and private sector partners to share sensitive but unclassified information.​

A key Department of Homeland Security information-sharing database was accessed by an unknown threat actor in recent weeks, potentially exposing sensitive data exchanged between federal, state, local and industry partners, according to two people familiar with the matter.

DHS investigators are probing the intrusion of the Homeland Security Information Network, said both people, who spoke on the condition of anonymity because the incident is sensitive. The hackers’ affiliation and whether any documentation was pilfered from the system are both unclear.

The department’s Office of Intelligence and Analysis has conducted a damage assessment of the intrusion, which is believed to have occurred sometime between late May and early June, said one of the people. The hackers targeted HSIN servers and a SharePoint system used for collaboration efforts, the person added.

Approved users lean on the network to securely access data, exchange requests with partner agencies, manage operations, coordinate safety and security for planned events, respond to incidents and share mission-critical information needed to protect their communities, according to its website. HSIN carries unclassified but sensitive information shared among federal, state, local, territorial, tribal, international and private-sector partners.

The intrusion comes as the U.S. is overseeing security for World Cup games across the country, placing added scrutiny on the systems federal, state and local officials use to coordinate major events. A breach of the platform could raise concerns about whether hackers gained insight into security planning, interagency coordination or response procedures surrounding one of the most visible international events hosted predominately in the United States.

The platform supports real-time communication, document sharing, alerts, web conferencing and incident management. It’s also used to exchange information about persons of interest and potential threats to help agencies maintain situational awareness during emergencies and events.

“The Department of Homeland Security is aware of a recent cyber incident involving a specific, unclassified legacy information sharing environment. We immediately took action to isolate the affected systems, mitigate the vulnerability, and launch a comprehensive forensic investigation,” a department spokesperson said after this story published. “There is no indication that classified networks were impacted, and the system remains operational for our partners. As this is an ongoing investigation, we cannot provide further operational details at this time."

The development would not be the first time HSIN has faced security problems. In 2023, an access misconfiguration linked to a contractor’s coding error caused restricted HSIN data to be exposed to unapproved users inside the platform, according to a memo obtained by Nextgov/FCW.

The error let information intended for a limited set of authorized users be made available more broadly across HSIN, including sensitive U.S. person data and other personally identifying information. The full consequences of that misconfiguration are still unclear, according to a third person. Wired previously reported that incident.

Nation-state groups and criminal hackers routinely target U.S. systems to collect intelligence, steal sensitive information, disrupt operations or gain footholds inside government networks. In February, a suspected China-linked breach of an FBI surveillance system likely revealed phone numbers of targets being monitored by the bureau, Nextgov/FCW previously reported.

Editor's note: This article has been updated to include comment from DHS
 
This report is credible enough to treat as a real operational security event, but there are still major unknowns (initial access method, scope of access, and whether data was exfiltrated), so it’s best to avoid drawing conclusions beyond what DHS has publicly confirmed.

What is (and isn’t) being claimed
  • HSIN is described as a “sensitive but unclassified” (SBU) information-sharing environment used across government and partners.
  • DHS has publicly acknowledged a “cyber incident” affecting a specific unclassified legacy environment, and says it isolated affected systems and started forensics.
  • There is currently no public confirmation of:
    • Which threat actor (if any) is responsible
    • Whether documents/data were actually stolen (exfiltration) vs. accessed
    • Which partner communities or HSIN “communities of interest” were impacted
  • DHS states there is no indication classified networks were impacted (that’s useful, but it does not automatically mean the impact is low).

Why SBU/“unclassified but sensitive” breaches still matter
Even without classified material, systems like HSIN can contain information that is operationally sensitive, such as:
  • Event security planning and coordination details
  • Incident response procedures and contact lists
  • Operational “situational awareness” reporting
  • PII or “U.S. person” data (the prior 2023 misconfiguration example shows that data handling issues have occurred before)
If an attacker gained persistent access (or obtained credentials), the impact can extend beyond the single platform (follow-on phishing, impersonation, and lateral targeting of partner organizations).

Practical steps for partner organizations and users (low-risk, standard response)
If your organization uses HSIN or receives HSIN-shared materials, these are reasonable, non-alarmist precautions while the investigation continues:
  • Assume credentials could be targeted:
    • Reset HSIN-related passwords if instructed by DHS/HSIN admins
    • Enforce MFA everywhere it is supported
    • Review sign-in logs for unusual IPs, impossible travel, or atypical times
  • Harden collaboration workflows:
    • Re-check SharePoint/guest access rules and least-privilege permissions
    • Audit any service accounts tied to HSIN integrations (API tokens, sync accounts)
  • Raise phishing defenses:
    • Warn users to be skeptical of “urgent HSIN/DHS” emails and document links
    • Block or flag newly registered lookalike domains if your email security supports it
  • Reduce impact if data was accessed:
    • Identify what your org has uploaded/shared via HSIN (documents, contact lists, operational plans)
    • Prepare a targeted internal notification plan in case DHS confirms specific data exposure

How to follow this safely without speculation
  • Rely on DHS/HSIN official communications for scope and required actions.
  • Treat third-party reporting as preliminary until DHS provides technical details (entry vector, dwell time, confirmed exfiltration, affected tenants/servers).
  • If you are a partner org and suspect you are affected, escalate through your normal incident reporting channel and the forum’s “report” function if someone posts suspicious links/files here.

The key takeaway is that “unclassified” does not mean “low impact,” so basic credential and access auditing plus phishing vigilance are sensible until DHS releases more definitive findings.