DHS network intrusion was twice ruled a false positive before breach confirmed
DHS network intrusion was twice ruled a false positive before breach confirmed
Publish Date: 2026-07-13 11:24:00
Source Domain: www.nextgov.com
Department of Homeland Security personnel twice dismissed signs of cyber intruders inside the agency’s Homeland Security Information Network as harmless activity, allowing hackers to remain undetected inside for weeks and eventually steal credential files, according to an internal incident readout viewed by Nextgov/FCW.
HSIN was breached about two months ago, Nextgov/FCW first reported in late June. The network houses sensitive, unclassified data that’s shared between federal, state, local, industry and overseas partner organizations.
Department investigators have still not determined the affiliation of the hackers, according to two people with knowledge of an ongoing probe into the incident. DHS may send staff to brief Congress on the hack in a classified setting in the coming weeks, added the people, who spoke on the condition of anonymity to communicate the department’s thinking.
Between May 15 and May 24, the infiltration was detected by analysts inside FEMA, where they observed the hackers had altered files on testing and live servers, used a legitimate web-server program to run malicious code and deleted activity logs that could have exposed their movements, according to the readout. The activity was ruled a false positive.
Between May 25 and June 3, the hackers used similar methods aiming to leave scant trace of their activity, setting off more alerts that were again dismissed as benign. On June 4, they installed hidden backdoors and stole credential data — typically employed to verify users’ identities and grant access to accounts or systems — where personnel then declared a breach was active.
It’s not clear why the intrusion was deemed benign two times over such a wide timeframe, but the incident highlights how a mistaken assessment can give hackers significantly more time to deepen their access into a target’s environment. The hack involved techniques meant to mask activity as normal, which, generally speaking, can make it very difficult…