A hacker infiltrated FEMA’s computer networks via compromised Citrix remote desktop credentials, maintaining unauthorized access from **June 22 to August 5, 2024**. The breach targeted **FEMA Region 6** (covering Arkansas, Louisiana, New Mexico, Oklahoma, and Texas) and involved the theft of **employee identity data** from FEMA and U.S. Customs and Border Protection (CBP). The attacker exploited weak security controls, including the absence of **multifactor authentication (MFA)**, to move laterally across the network, install VPN software, and exfiltrate data from **Active Directory**.The incident led to the termination of **24 FEMA employees**, including IT executives, after an investigation revealed systemic failures in cybersecurity protocols. While initial statements claimed no sensitive data was stolen, a DHS internal review confirmed the theft of **federal employee identity information**. The breach underscored vulnerabilities in government cybersecurity, compounded by a separate disclosure of hackers exploiting **Cisco firewall devices** in U.S. agencies, though no direct link to the FEMA attack was established.
Source: https://www.claimsjournal.com/news/national/2025/09/30/333248.htm
TPRM report: https://www.rankiteo.com/company/fema
"id": "fem3092330093025",
"linkid": "fema",
"type": "Breach",
"date": "8/2024",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Federal Employees (FEMA & CBP)',
'industry': 'Public Administration / Emergency '
'Management',
'location': 'United States (Region 6: Arkansas, '
'Louisiana, New Mexico, Oklahoma, Texas)',
'name': 'Federal Emergency Management Agency (FEMA)',
'type': 'Government Agency'},
{'customers_affected': 'Federal Employees',
'industry': 'Law Enforcement / Border Security',
'location': 'United States',
'name': 'U.S. Customs and Border Protection (CBP)',
'type': 'Government Agency'}],
'attack_vector': ['Compromised Credentials',
'Citrix Remote Desktop Exploitation',
'Lateral Movement via VPN Software',
'Active Directory Access'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Federal Employee Information)',
'type_of_data_compromised': ['Employee Identity Data']},
'date_detected': '2023-07-07',
'date_publicly_disclosed': '2023-08-29',
'date_resolved': '2023-08-05',
'description': "A hacker gained unauthorized access to FEMA's computer "
'networks for several months in 2023, exploiting compromised '
'credentials in Citrix Systems Inc.’s remote desktop software. '
'The intruder breached FEMA’s Region 6 (covering Arkansas, '
'Louisiana, New Mexico, Oklahoma, and Texas) and stole '
'identity data of FEMA and U.S. Customs and Border Protection '
'(CBP) employees. The breach was detected on **July 7**, with '
'the hacker active from **June 22 to August 5**. FEMA '
'disconnected the Citrix tool on **July 16** and enforced '
'multifactor authentication (MFA). DHS Secretary Kristi Noem '
'fired 24 FEMA employees, including IT executives, citing '
"'agencywide lack of MFA' and incompetence. While initially "
'claimed that no sensitive data or citizen data was stolen, '
'DHS later confirmed federal employee identity data was '
'exfiltrated.',
'impact': {'brand_reputation_impact': ['Public Disclosure of IT Leadership '
'Failures',
'Media Coverage (Bloomberg, '
'Nextgov/FCW)'],
'data_compromised': ['Federal Employee Identity Data (FEMA & CBP)'],
'downtime': {'description': 'Hacker present in network for ~45 '
'days; Citrix tool disconnected on '
'2023-07-16.',
'end': '2023-08-05',
'start': '2023-06-22'},
'identity_theft_risk': ['High (Federal Employee Data Stolen)'],
'operational_impact': ['Disconnection of Citrix Remote Access Tool',
'Enforcement of Multifactor Authentication',
'Firing of 24 FEMA Employees (Including IT '
'Executives)'],
'systems_affected': ['FEMA Region 6 Servers',
'Microsoft Active Directory',
'Citrix Remote Desktop Tool']},
'initial_access_broker': {'backdoors_established': ['VPN Software Installed '
'(2023-07-14)'],
'entry_point': 'Citrix Systems Inc.’s Remote '
'Desktop Software (Compromised '
'Credentials)',
'high_value_targets': ['Microsoft Active Directory',
'FEMA & CBP Employee '
'Databases']},
'investigation_status': 'Completed (DHS Internal Investigation)',
'lessons_learned': ['Critical need for multifactor authentication (MFA) '
'across all systems.',
'Vulnerabilities in third-party remote access tools '
'(e.g., Citrix) require proactive monitoring.',
'Lateral movement risks in Active Directory highlight the '
'need for segmentation and access controls.',
'Delayed detection (hacker active for ~45 days) '
'underscores gaps in continuous threat monitoring.'],
'post_incident_analysis': {'corrective_actions': ['Enforced MFA for FEMA '
'Region 6.',
'Disconnected vulnerable '
'Citrix remote access tool.',
'Terminated IT leadership '
'responsible for security '
'failures.',
'Public disclosure to raise '
'awareness of risks.'],
'root_causes': ['Lack of multifactor '
'authentication (MFA) for remote '
'access.',
'Compromised credentials in Citrix '
'remote desktop software.',
'Inadequate monitoring of lateral '
'movement within the network.',
'Failure to segment high-value '
'systems (e.g., Active '
'Directory).']},
'recommendations': ['Mandate MFA for all remote access and privileged '
'accounts.',
'Conduct regular audits of third-party software '
'vulnerabilities.',
'Implement network segmentation to limit lateral '
'movement.',
'Enhance endpoint detection and response (EDR) '
'capabilities.',
'Establish clearer incident response protocols for '
'credential-based breaches.'],
'references': [{'source': 'Bloomberg News'},
{'source': 'Nextgov/FCW'},
{'source': 'DHS Public Statement (2023-08-29)'}],
'regulatory_compliance': {'legal_actions': ['Termination of 24 FEMA Employees '
'(Including IT Leadership)']},
'response': {'communication_strategy': ['Public Statement by DHS Secretary '
'(2023-08-29)',
'Media Disclosures (Bloomberg, '
'Nextgov/FCW)'],
'containment_measures': ['Disconnected Citrix Remote Access Tool '
'(2023-07-16)',
'Enforced Multifactor Authentication'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': ['DHS Secretary’s Public Statement',
'Media Briefings'],
'title': 'FEMA Network Breach via Compromised Citrix Remote Desktop '
'Credentials',
'type': ['Unauthorized Access', 'Data Breach', 'Credential Theft'],
'vulnerability_exploited': ['Lack of Multifactor Authentication (MFA)',
'Citrix Remote Desktop Software Vulnerability']}