Cyber Incident Victim: South Carolina Criminal Justice Information Services
Date:
Jun 2023
Location:
United States of America
Summary
The SiegedSec hacking group breached and defaced the South Carolina Criminal Justice Information Services (CJIS) website as part of a multi-state campaign. The group claimed to have stolen data from the victim and other state government sites, sharing screenshots of the defacements and allegedly exfiltrated information. The incident was investigated by state authorities, though the specific impact on CJIS was not publicly detailed by officials.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 28, 2023, the hacktivist group SiegedSec claimed responsibility for a series of cyberattacks targeting several US state government websites. Among the five entities listed in their public announcement on Telegram was the South Carolina Criminal Justice Information Services (CJIS). The group shared photographs as evidence of their activities, which allegedly included both website defacement and the theft of data. For the South Carolina CJIS, SiegedSec specifically claimed to have stolen data. The South Carolina CJIS is a function of the South Carolina Law Enforcement Division (SLED) and serves as a criminal justice information repository responsible for collecting, processing, storing, and disseminating crime data and criminal identification and record information.
Following the public claims made by SiegedSec, the South Carolina Attorney General’s Office was contacted for comment. A representative from that office stated they did not control the South Carolina CJIS website and directed inquiries to the South Carolina Law Enforcement Division (SLED). SLED, the entity responsible for the CJIS system, did not respond to multiple requests for comment regarding the alleged hack. Consequently, no official statement from the direct managing authority was available to confirm or deny the breach, detail its scope, or explain what specific data, if any, was accessed or exfiltrated.
The incident was part of a broader campaign by SiegedSec that also targeted state-run websites in Nebraska, South Dakota, Texas, and Pennsylvania. In those other cases, officials provided varying levels of confirmation and detail. For example, in Nebraska, officials confirmed their judicial branch intranet was targeted and that a screenshot was posted by the attackers, but stated no sensitive case or personally identifiable information was compromised. South Dakota officials confirmed a public-facing website was compromised and defaced but stated no sensitive information was involved. The Texas entity initially denied being hacked despite the group's claims, and Pennsylvania officials stated they were investigating the claims but declined further comment. This pattern indicates a campaign targeting various state government portals, with tactics including defacement and data theft, though the exact impact varied by victim.
The motive for the attacks on the various states was not explicitly stated by SiegedSec in their initial announcement for this particular campaign. However, the group has a history of launching attacks motivated by political issues. In previous operations targeting government bodies in states like Texas, Kentucky, and Arkansas, the group had explicitly referenced state-level bans on abortion and gender-affirming care as their reasoning. Some experts caution that the stated motives of such groups should be viewed warily due to a general lack of information about the individuals behind the accounts. The group's leader, using the alias YourAnonWolf, has described their activities as being for "fun" and has been characteristically vague about the group's composition and full intentions when contacted by media.
SiegedSec is identified as a politically motivated hacktivist group. According to researchers who track their activities, the group had just concluded an aggressive offensive campaign called #OpColombia against the Colombian government prior to this US state-focused campaign. Their typical operations involve leaking stolen data and defacing the resources of their targets. Notable previous targets have included a variety of commercial and government organizations in Russia, which the group claims to have knocked offline, as well as smaller campaigns targeting South American governments, software companies, and healthcare providers. Their modus operandi is non-financial; they do not seek ransom payments from victims but instead operate based on stated ideological reasons or, as their leader has suggested, for the enjoyment of the activity itself. The lack of an official statement from SLED means the full nature and scope of the incident involving South Carolina CJIS, including any potential compromise of sensitive criminal justice information, could not be independently confirmed from the provided sources. The investigation into the broader multi-state campaign by SiegedSec was ongoing at the time of reporting.