CJIS access control gaps exposed by criminal VPN abuse

At a glance

What this is: This is an independent analysis of FBI guidance on criminal VPN abuse and what it means for CJIS access control, with the key finding that trusted access must be both verifiable and usable.

Why it matters: It matters because public safety agencies must secure shared, mission-critical access without creating workarounds that weaken accountability across NHI, human, and third-party access.

By the numbers:

• The FBI says the criminal VPN service has been used by at least 25 ransomware groups.

👉 Read Imprivata's analysis of FBI guidance on CJIS access control and criminal VPN abuse

Context

CJIS access control is not just a compliance checkbox. In public safety environments, the same remote access paths that keep dispatch, patrol, vendor support, and legacy systems running can also become the paths attackers use to blend in.

The FBI FLASH advisory described in the source article focuses on criminal VPN infrastructure, valid accounts, and anonymized access. That combination matters because agencies cannot separate security from workflow: if access is slow or awkward, users will create shortcuts, and those shortcuts become governance risk.

Key questions

Q: What breaks when remote access is trusted because it looks familiar?

A: When remote access is trusted because it resembles normal VPN traffic, agencies lose the ability to distinguish legitimate operational use from attacker activity. Criminal infrastructure can reuse valid accounts, route through anonymized services, and blend into routine access patterns. The result is weaker CJIS accountability and a larger gap between access and trust.

Q: Why do shared workstations make CJIS access control harder?

A: Shared workstations make CJIS access control harder because the device is reused while the identity trail often is not. If users share credentials or delay logout, the audit record becomes less reliable and later investigation is weaker. The challenge is operational continuity without losing individual accountability.

Q: What do security teams get wrong about VPN-aware access controls?

A: Security teams often treat VPN-aware access as proof that a session is safe. In practice, a VPN only shows that a connection exists, not that the user, device, or session should be trusted. CJIS environments need multi-signal trust decisions, because legitimate-looking paths are exactly what attackers try to exploit.

Q: Who is accountable when third-party remote access is overused in public safety environments?

A: The agency remains accountable when third-party remote access is overused, even if the support relationship is legitimate. CJIS obligations do not move to the vendor. Agencies need lifecycle controls, session monitoring, and removal of access when the operational need ends, otherwise accountability and auditability erode.

Technical breakdown

How criminal VPN infrastructure hides behind legitimate access

Criminal VPN services are valuable to attackers because they create an access layer that looks ordinary from the outside. Instead of relying only on obviously malicious infrastructure, attackers can route through anonymized remote services, reuse valid accounts, and blend reconnaissance into normal-looking network traffic. The FBI mapped the activity to proxy use, remote services, valid accounts, brute-force, network discovery, and denial-of-service. For CJIS-regulated environments, the problem is not only the bad infrastructure itself. The deeper issue is that legitimate remote access patterns can be abused when identity, session, and location trust are not evaluated together.

Practical implication: agencies need access decisions that evaluate user, device, and session trust, not only network reputation.

Why shared devices and legacy systems widen the access trust gap

Public safety operations often depend on shared workstations, mobile data terminals, vendor support paths, and legacy applications such as CAD and records systems. Those environments create a trust problem because access is frequently persistent, shared, or context-light. If the same device serves multiple officers or multiple shifts, accountability becomes harder to prove later. The article’s core point is that CJIS compliance fails when authentication and access control are treated as separate from the way work actually happens. In practice, the system must support rapid changeovers without allowing shared credentials or untraceable sessions.

Practical implication: tighten session accountability around shared endpoints and legacy applications before attackers exploit normal operational reuse.

Why VPN-aware access controls are not the same as trust verification

VPN-aware controls can help identify risky access paths, but they do not on their own answer the key question: should this user, device, or session be trusted right now? That is why multifactor authentication, least privilege segmentation, and monitoring for unusual locations or IPs all matter together. The FBI guidance points to a broader access model where identity evidence, session behaviour, and destination sensitivity are all part of the decision. In CJIS settings, that is the difference between knowing a connection exists and knowing whether it should be allowed to reach criminal justice information.

Practical implication: treat VPN signals as one input to a broader trust decision, not as proof of legitimacy.

Threat narrative

Attacker objective: The attacker objective is to gain believable remote access that supports intrusion, reconnaissance, and downstream ransomware operations against public safety environments.

1. Entry occurs through criminal VPN infrastructure or valid remote access paths that make attacker activity look like normal remote connectivity.
2. Escalation follows when attackers use valid accounts, brute-force, and remote services to discover internal systems and probe CJIS-relevant environments.
3. Impact emerges as ransomware groups use the access path for intrusion support, reconnaissance, and broader malicious activity that threatens public safety operations.

Breaches seen in the wild

• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
• LiteLLM PyPI package breach — LiteLLM PyPI supply chain attack, credentials stolen from users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Trusted access breaks down when agencies treat network reachability as proof of legitimacy. The article shows that criminal VPN infrastructure can sit inside the same remote-access patterns agencies use for vendor support, mobile work, and legacy systems. That is a CJIS governance failure, not just a traffic problem. The implication is that access assurance must be based on identity, device, and session evidence, not on whether the path looks familiar.

Shared credentials create accountability debt in public safety environments. Officers delaying logouts or multiple users sharing the same account are understandable operational shortcuts, but they erase the audit trail CJIS depends on. The specific failure mode is not weak authentication alone. It is access accountability that cannot survive the realities of shared workstations, mobile terminals, and shift-based operations. Practitioners need to treat that as a governance defect, not a user inconvenience.

Operationally usable security is not a softer control model, it is the control model CJIS requires. If authentication slows dispatch, patrol, or vendor support, users will route around it. That is why the article’s real lesson is about control adoption, not just control presence. The field should reframe CJIS compliance as a trust-verification problem inside mission workflows, where secure access must remain practical enough to be followed consistently.

Session trust is the named concept that public safety teams should focus on. The article makes clear that the risky unit is not only the account or the network path, but the session itself, because that is where identity, location, and behaviour converge. When session trust is weak, a legitimate-looking connection can still be the front door for intrusion. Practitioners should treat session-level assurance as the missing layer in CJIS access governance.

Third-party access needs lifecycle control, not just perimeter control. The same remote services that support CAD, jail, records, and infrastructure can become persistent exposure if they are not limited and removed when no longer needed. The governance problem is that vendor access often outlives the operational need. Practitioners should view that as an access lifecycle issue, not only a remote access issue.

From our research:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• DeepSeek accidentally embedded over 11,000 secrets in its training data and left a database exposed online, revealing more than one million sensitive records including chat histories, backend credentials, and API keys.
• For the broader access-risk picture, see Ultimate Guide to NHIs , Key Challenges and Risks for how visibility gaps and over-privilege create avoidable exposure.

What this signals

Session trust is becoming the practical control boundary for CJIS-regulated agencies. The article points to a shift from network-centric thinking toward identity-centric verification, where the real question is whether a user, device, and session deserve access now. That aligns with broader identity governance trends, especially in environments where shared endpoints and remote support are part of normal operations.

With 70% of organisations already granting AI systems more access than human employees, per the 2026 Infrastructure Identity Survey, the access problem is no longer limited to human remote work. Public safety teams should expect identity assurance demands to expand across machine access, third-party support, and emerging autonomous workflows.

Access accountability will increasingly be judged by the quality of the session record. If agencies cannot reconstruct who accessed CJIS data, from where, and under what conditions, the control did not function as intended. That makes session telemetry, identity proof, and revocation discipline central to future audit readiness.

For practitioners

• Separate shared access from shared credentials Use individual identities for every officer, dispatcher, and support worker even when the endpoint is shared. Preserve session accountability with fast switching and strong audit logs so shared workstations do not become shared responsibility gaps.
• Verify trust before reaching CJIS systems Make remote access decisions based on identity, device state, session context, and location anomalies, not only on whether a VPN connection exists. Treat unusual locations or IP addresses as signals for step-up review.
• Limit and review vendor remote access lifecycles Give third-party support only the minimum access required, monitor every privileged session, and revoke access when the support relationship ends. Vendor access should never remain open because the environment is operationally busy.
• Make multifactor authentication fit public safety workflows Deploy MFA that officers, dispatchers, and support staff can complete quickly and consistently at the console, in vehicles, and across legacy systems. If authentication creates shortcuts, the control is failing its real job.
• Instrument anomalous session investigation Watch for unusual session activity, remote services usage, and suspicious account behaviour that could indicate criminal VPN abuse or session hijacking. Investigators should be able to reconstruct who accessed what, when, and from where.

Key takeaways

• The article shows that criminal VPN infrastructure exploits ordinary remote access patterns, turning trusted workflows into an attacker advantage.
• The clearest evidence is the FBI’s attribution of the service to at least 25 ransomware groups, which shows the scale of the abuse pattern.
• The control that matters most is identity-aware trust verification across sessions, because network blocking alone cannot prove whether access should be allowed.

Key terms

• Session Trust: Session trust is the judgment that a login or connection should be allowed to continue based on identity, device, and behavioural evidence. In public safety and CJIS settings, it is the control layer that separates merely connected users from users who should be trusted with sensitive information.
• CJIS Accountability: CJIS accountability is the ability to prove who accessed criminal justice information, from where, and under what conditions. It depends on individual identities, auditable sessions, and revocation discipline, not just on whether a connection was technically permitted.
• Shared Device Workflow: A shared device workflow is an operating model where multiple people use the same workstation, terminal, or vehicle system across shifts. It is common in public safety, but it raises identity and audit challenges because the device is shared while the responsibility for access must remain individual.
• Remote Access Lifecycle: Remote access lifecycle is the full sequence of granting, monitoring, limiting, and removing external access. In CJIS-regulated environments, it matters because support relationships and operational exceptions can leave access open long after the original need has ended.

Deepen your knowledge

CJIS access control and trusted workflow design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your agency is trying to secure public safety access without slowing mission-critical work, it is a practical place to start.

This post draws on content published by Imprivata covering FBI guidance on criminal VPN abuse and CJIS access control. Read the original.