Full Report
Lorenzo Franceschi-Bicchierai reports: A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online. On Sunday, the nonprofit transparency collective DDoSecrets published data relating to contracts between DHS, Immigration and Customs Enforcement (ICE), and more than 6,000 companies, including defense contractors Anduril, L3Harris, Raytheon,... Source
Analysis Summary
# Incident Report: Hacktivist Exfiltration of DHS/ICE Contract Data
## Executive Summary
A hacktivist group identified as the “Department of Peace” claims to have breached the Department of Homeland Security (DHS), specifically targeting the Office of Industry Partnership (OIP). The breach resulted in the exfiltration and subsequent public leak of sensitive contract data involving Immigration and Customs Enforcement (ICE) and over 6,000 private sector companies. The transparency collective DDoSecrets published the data on March 1, 2026, highlighting significant supply chain and governmental exposure.
## Incident Details
- **Discovery Date:** March 1, 2026 (via public leak)
- **Incident Date:** Occurred prior to March 1, 2026
- **Affected Organization:** Department of Homeland Security (DHS / ICE)
- **Sector:** Government / Defense
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed (Prior to March 1, 2026)
- **Vector:** Targeted breach of the Office of Industry Partnership (OIP)
- **Details:** Attackers compromised the OIP unit, which serves as the primary interface for procuring technology from private sector vendors.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not detailed in the report; however, the attackers successfully accessed internal contract repositories and procurement documentation spanning multiple agencies (DHS and ICE).
### Data Exfiltration/Impact
- **Details:** The group exfiltrated data relating to contracts with over 6,000 companies. Notable entities included Anduril, L3Harris, Raytheon, Palantir, Microsoft, and Oracle.
### Detection & Response
- **How it was discovered:** Public announcement by the "Department of Peace" and the subsequent publication of the dataset by the transparency collective DDoSecrets.
- **Response actions taken:** Not explicitly detailed in the report; standard federal protocol typically involves CISA engagement and internal forensic audits of the OIP network.
## Attack Methodology
- **Initial Access:** Targeting of a specific procurement unit (Office of Industry Partnership).
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Undisclosed.
- **Discovery:** Target-rich environment identification within the DHS procurement workflow.
- **Lateral Movement:** Accessing inter-agency (DHS/ICE) contract databases.
- **Collection:** Gathering bulk contract documents and vendor lists.
- **Exfiltration:** Transfer of data to hacktivist infrastructure and eventually to ddosecrets[.]org.
- **Impact:** Information disclosure and reputational damage to federal agencies and 6,000+ private partners.
## Impact Assessment
- **Financial:** Possible loss of proprietary pricing data; potential risk to future government contract bidding secrecy.
- **Data Breach:** High. Leak of sensitive procurement contracts and vendor relationships.
- **Operational:** Potential disruption to current and future technology procurement for ICE and DHS.
- **Reputational:** High public impact; the leak highlights vulnerabilities in how the government secures the data of its private-sector partners.
## Indicators of Compromise
*(Note: Limited technical IOCs provided in the public press report)*
- **Network indicators:** Traffic associated with ddosecrets[.]org and oip.dhs[.]gov.
- **Behavioral indicators:** Unauthorized bulk download patterns from the OIP procurement portal.
## Response Actions
- **Containment measures:** Isolation of the OIP procurement systems (assumed).
- **Eradication steps:** Auditing of all administrative credentials associated with the OIP unit.
- **Recovery actions:** Verification of document integrity and notification of the 6,000+ affected third-party vendors.
## Lessons Learned
- **Key takeaways:** Procurement portals are high-value targets for hacktivists due to the concentrated volume of private-sector data they contain.
- **Gaps identified:** Potential lack of segmentation between the DHS Office of Industry Partnership and ICE-specific contract data.
## Recommendations
- **Access Control:** Implement strict Multi-Factor Authentication (MFA) and Zero Trust Architecture for all procurement-related portals.
- **Data Protection:** Encrypt data at rest and in transit within contract management systems; implement Data Loss Prevention (DLP) to flag abnormal bulk exfiltration of documents.
- **Third-Party Risk Management:** Review how vendor data is stored once a contract is finalized to ensure stagnant data is archived and shielded from the primary network.