{"id":289187,"date":"2026-07-13T11:24:00","date_gmt":"2026-07-13T15:24:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/07\/13\/dhs-network-intrusion-was-twice-ruled-a-false-positive-before-breach-confirmed\/"},"modified":"2026-07-13T23:20:10","modified_gmt":"2026-07-14T03:20:10","slug":"dhs-network-intrusion-was-twice-ruled-a-false-positive-before-breach-confirmed","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/07\/13\/dhs-network-intrusion-was-twice-ruled-a-false-positive-before-breach-confirmed\/","title":{"rendered":"DHS network intrusion was twice ruled a false positive before breach confirmed"},"content":{"rendered":"<p><a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2026\/07\/dhs-network-intrusion-was-twice-ruled-false-positive-breach-confirmed\/414724\/\">DHS network intrusion was twice ruled a false positive before breach confirmed<\/a><\/p>\n<p><a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2026\/07\/dhs-network-intrusion-was-twice-ruled-false-positive-breach-confirmed\/414724\/\">https:\/\/www.nextgov.com\/cybersecurity\/2026\/07\/dhs-network-intrusion-was-twice-ruled-false-positive-breach-confirmed\/414724\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-07-13 11:24:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.nextgov.com\">www.nextgov.com<\/a><\/p>\n<p>Department of Homeland Security personnel twice dismissed signs of cyber intruders inside the agency\u2019s Homeland Security Information Network as harmless activity, allowing hackers to remain undetected inside for weeks and eventually steal credential files, according to an internal incident readout viewed by Nextgov\/FCW.<\/p>\n<p>HSIN was breached about two months ago, Nextgov\/FCW first reported in late June. The network houses sensitive, unclassified data that\u2019s shared between federal, state, local, industry and overseas partner organizations.<\/p>\n<p>Department investigators have still not determined the affiliation of the hackers, according to two people with knowledge of an ongoing probe into the incident. DHS may send staff to brief Congress on the hack in a classified setting in the coming weeks, added the people, who spoke on the condition of anonymity to communicate the department\u2019s thinking.<\/p>\n<p>Between May 15 and May 24, the infiltration was detected by analysts inside FEMA, where they observed the hackers had altered files on testing and live servers, used a legitimate web-server program to run malicious code and deleted activity logs that could have exposed their movements, according to the readout. The activity was ruled a false positive.<\/p>\n<p>Between May 25 and June 3, the hackers used similar methods aiming to leave scant trace of their activity, setting off more alerts that were again dismissed as benign. On June 4, they installed hidden backdoors and stole credential data \u2014 typically employed to verify users\u2019 identities and grant access to accounts or systems \u2014 where personnel then declared a breach was active.<\/p>\n<p>It\u2019s not clear why the intrusion was deemed benign two times over such a wide timeframe, but the incident highlights how a mistaken assessment can give hackers significantly more time to deepen their access into a target\u2019s environment. The hack involved techniques meant to mask activity as normal, which, generally speaking, can make it very difficult&#8230;<\/p>\n<p><a href=\"https:\/\/www.nextgov.com\/cybersecurity\/2026\/07\/dhs-network-intrusion-was-twice-ruled-false-positive-breach-confirmed\/414724\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>DHS network intrusion was twice ruled a false positive before breach confirmed https:\/\/www.nextgov.com\/cybersecurity\/2026\/07\/dhs-network-intrusion-was-twice-ruled-false-positive-breach-confirmed\/414724\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":289188,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/cdn.nextgov.com\/media\/img\/cd\/2026\/07\/13\/071326DHSNG\/open-graph.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24],"class_list":["post-289187","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289187"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=289187"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289187\/revisions"}],"predecessor-version":[{"id":289189,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/289187\/revisions\/289189"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/289188"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=289187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=289187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=289187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}