The computer network was operated by the Marshals’ Technical Operations Group (TOG), a secretive arm within the agency that uses technically sophisticated law enforcement methods to track criminal suspects through their cellphones, emails and web usage. Its techniques are kept secret to prolong their usefulness, and exactly what members of the unit do and how they do it is a mystery even to some of their fellow Marshals personnel.
The problem began in early February, when the TOG’s computer system was breached. A system that handles a vast amount of court-approved tracking of cellphone data, including location data, had been compromised. The incident was the latest example of the scourge of ransomware — a criminal scam in which the computer systems of hospitals, schools and companies are penetrated and the data is stolen or made inaccessible unless a ransom is paid.
The attack on the Marshals system showed that even high-level federal law enforcement agencies are not immune to ransomware. In the case of the TOG system, the network has existed outside regular Justice Department computer systems for years, unnoticed in the open, crowded internet.
Marshals officials refused to pay any ransom and instead moved to shut down the entire system. But in the course of doing so — according to people familiar with the matter who spoke on the condition of anonymity to discuss the inner workings of law enforcement surveillance, security and fugitive hunting — they took steps that had significant consequences.
To limit the potential spread of infected devices and systems, officials decided to wipe the cellphones of those who worked in the hacked system — clearing out their contacts and emails. The action was taken with little advance notice on a Friday night, meaning some employees were caught by surprise, these people said.
One staffer was working the security detail for a Supreme Court justice when the person discovered their device had been wiped of data, these people said. While the phone still worked, the person had no emails or contacts, these people said. One Marshals official, also speaking on the condition of anonymity to discuss sensitive law enforcement issues, insisted there was no security risk posed by the phone wipe because Marshals still carry their two-way radios.
The most significant consequence of the system going down is that one of the Marshals’ best tools for finding fugitives — often used on behalf of state and local law enforcement agencies — has been incapacitated, the people familiar with the matter said. Marshals officials, asked about the impact, said the agency has other ways to find fugitives that made up for the shutdown of the system.
“The data breach has not impacted the agency’s overall ability to apprehend fugitives and conduct its investigative and other missions,” Marshals spokesman Drew Wade said Monday. “Most critical tools were restored within 30 days of the breach discovery. Further, USMS soon will deploy a fully reconstituted system with improved IT security countermeasures.”
The Technical Operations Group has helped the Marshals hunt down high-value suspects in the United States and in other countries, including Mexican drug kingpin Joaquín Guzmán, better known as “El Chapo,” according to people familiar with the system.
A great deal of the hunting is done through what is called pen register/trap and trace — a means of cellphone surveillance that has evolved along with phone technology. In the era of landlines, a PR/TT meant getting a record of all the incoming and outgoing calls from a phone. In the modern era, PR/TTs can also be applied to email accounts and can pull data on the location of a phone or electronic device — critical information in a manhunt.
Unlike a wiretap, a pen register/trap and trace does not monitor the contents of phone conversations. A PR/TT order for the data about a phone requires the government to convince a judge only that the information is relevant to an ongoing investigation — not the higher legal standard of probable cause needed for a wiretap.
“In a world where everyone has a cellphone, it’s a way to track cellphones, and it’s a way to track account usage,” said Orin Kerr, a law professor at the University of California at Berkeley who specializes in criminal procedure and privacy. “We’re all on these devices all day, so it’s a way to — with court orders — track not the messages that people are sending, but the information about them, which is helpful to finding them.”
Kerr said there’s another reason for concern beyond the system shutdown, because “what happens after the government gets this information is also important. Part of this story is about how the system they created was vulnerable and all this information was available to someone else.”
With more than two dozen offices in the United States and Mexico, the Technical Operations Group also operates airplanes in a smaller number of U.S. cities as part of its cellphone tracking work — a costly but highly effective way to find and arrest suspects.
The Technical Operations Group does so many real-time PR/TT data searches that in many years, it collects more of that data than the FBI and DEA combined, according to people familiar with the matter who spoke on the condition of anonymity to describe in general terms how the investigations are conducted. The people said that office’s use of the technology typically generates more than 1,000 arrests over a 10-week period.
But since the ransomware shutdown in mid-February, the TOG has not been doing that kind of real-time collection, which people familiar with the situation said has had a major impact on fugitive-finding efforts. A Marshals official disagreed with that assertion, saying the agency has other methods of hunting fugitives.
This official said Marshals task forces have continued to make arrests while supporting state and local law enforcement, noting that the Technical Operations Group is just one part of the agency’s fugitive-hunting work, which helps task forces capture many thousands of suspects every year.
The Justice Department has judged the computer intrusion a “major incident” and notified Congress.
The Marshals previously said the affected system “contains law enforcement sensitive information, including returns from legal process, administrative information, and personally identifiable information pertaining to subjects of USMS investigations, third parties, and certain USMS employees,” adding that officials “are working swiftly and effectively to mitigate any potential risks as a result of the incident.”
What has gone less swiftly is the effort to get the system replaced and rebuilt, as officials try to decide whether the incident proves more changes are needed at the Technical Operations Group.
Some within the Marshals have complained for years that the TOG is too unsupervised and secretive, a cowboy arm of a law enforcement agency. In particular, its activities in Mexico have been the subject of concern within the agency and whistleblower complaints, and questions about cellphone surveillance by the Marshals and other law enforcement agencies led the Obama administration to change the rules for how federal agencies use such technology.
Other law enforcement officials describe the TOG as full of technical wizards unencumbered by red tape, whose skills at data extraction and surveillance to find and track targets are a model not just for law enforcement, but also for the military.
Now, as Marshals debate how to rebuild the computer system, senior officials at the agency are also deciding whether the group needs more supervision and structure, both in personnel and in its computer network, according to people familiar with the matter.