Cyber Incident Victim: Miracle Systems
Date:
Nov 2018
Location:
United States of America
Summary
A U.S. government IT contractor experienced unauthorized access to its systems, with credentials and internal data offered for sale on a cybercrime forum. The compromised information allegedly included email correspondence and client agency database access, though the contractor asserted the data pertained to outdated internal test environments disconnected from federal partner networks. Multiple systems were breached via Emotet malware infections occurring over several months. While impacted agencies investigated and reported no direct compromise, the incident prompted a Secret Service investigation and highlighted broader federal concerns about subcontractor security practices. The breach underscored challenges in enforcing consistent cybersecurity standards across government supply chains, particularly among lower-tier contractors handling sensitive data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The breach at Miracle Systems LLC, a Virginia-based U.S. government IT contractor serving over 20 federal agencies, was first identified when a Russian-language cybercrime forum member offered to sell network access in mid-August 2019. The seller advertised access to email correspondence, client agency databases, and credentials, setting an opening bid at six bitcoins (~$60,000). Screenshots provided as proof of access revealed domains and IP addresses tied to the U.S. Department of Transportation, National Institutes of Health (NIH), U.S. Citizenship and Immigration Services (USCIS), and Miracle Systems’ internal infrastructure. Security firm Hold Security alerted KrebsOnSecurity to the incident, noting that Miracle Systems’ systems had been compromised on three separate occasions between November 2018 and July 2019 via Emotet malware, which typically spreads through malicious email attachments and deploys additional payloads. The U.S. Secret Service initiated an investigation, with an agent present at Miracle Systems’ offices during initial media inquiries. Miracle Systems CEO Sandesh Sharda confirmed the auction involved his company’s credentials and databases but asserted the data was from outdated internal test environments never connected to government partner networks.
The investigation revealed at least eight internal Miracle Systems systems were compromised during the intrusion period. While NIH confirmed no compromise of its systems following an internal review, DHS and DOT did not publicly comment on their exposure. The incident occurred amid heightened federal scrutiny of contractor security practices, exemplified by Customs and Border Patrol’s suspension of contracts with Perceptics following a similar breach months earlier. Federal acquisition regulation updates around this time enabled agencies to enforce stricter cybersecurity requirements on vendors and terminate non-compliant contracts. The Department of Defense had recently issued new cybersecurity standards for contractors handling sensitive data, highlighting concerns about vulnerabilities in lower-tier subcontractors. No direct operational impacts on federal agencies were publicly confirmed, though the exposure of contractor-managed credentials and databases prompted ongoing law enforcement involvement and internal reviews by affected entities.