Unraveling the Mystery: Unclear Origin of Second Major Hack on US Federal Judiciary’s Electronic Case System

The current administration faces its initial federal cybersecurity crisis, as a hack on the United States federal judiciary’s electronic case filing system has compelled several courts to revert to backup paper-filing systems. The breach, detected around July 4, jeopardized sealed court records and potentially exposed confidential informants and cooperating witnesses across various states.

More than a month since the discovery of the intrusion, the details surrounding the incident remain unclear, including the specific data and systems affected. Politico initially reported the breach of the “case management/electronic case files,” or CM/ECF, system, which may have impacted criminal dockets, arrest warrants, and sealed indictments. The CM/ECF system was also compromised in 2020 during the previous administration, with Politico reporting on August 10 that hackers exploited software vulnerabilities that remained unaddressed after being identified five years ago following the initial incident.

Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy, expressed concerns over the lack of transparency regarding the affected data. “We’re more than a month into detecting this intrusion and still don’t have a comprehensive understanding of what’s been impacted,” Williams stated. He added that the lack of sufficient logging to reconstruct attack activity would be disappointing, given the repeated targeting of the system over the years.

In response to a request for comment, the United States Courts referred WIRED to its August 7 statement, which outlined efforts to strengthen protections for sensitive case documents and further enhance the security of the system. The courts emphasized that while most documents are available to the public, some filings contain confidential or proprietary information that is sealed from view.

The Department of Justice did not respond to requests for comment regarding the scope of the breach or its perpetrator. This week’s reports suggesting Russia was involved in the attack or could be the sole perpetrator are ambiguous, given indications that espionage actors backed by multiple countries and possibly organized crime syndicates may have been engaged in the incident.

John Hultquist, chief analyst in Google’s Threat Intelligence Group, noted that investigations are often targeted by cyberespionage actors from several nations. “Multiple actors probing a sensitive and potentially vulnerable system is not an uncommon occurrence,” Hultquist said.

The news of the breach emerges as the administration continues to reduce the federal workforce, including intelligence and cybersecurity agencies, prompting concerns about the ability to investigate such incidents effectively. Williams expressed skepticism regarding the identification of the attack’s perpetrator given the current climate. “I think federal investigators probably know who was behind the attack, but given the climate, I would suspect that no one wants to say with certainty,” he said.

Researchers stress that vulnerabilities enabling the attack on CM/ECF should have been addressed following the 2021 breach. Tim Peck, senior threat researcher at Securonix, suggested that enforcing policies requiring sealed or highly sensitive documents to be handled through air-gapped systems or secure isolated networks would significantly reduce exposure. Installing consistent, centralized logging across all disparate CM/ECF instances could also have enabled earlier detection and rapid mitigation before data exfiltration escalated as it did.

In conclusion, targeted systems like those of the US Courts are likely to face breaches. However, ensuring that flaws are addressed promptly after they’re first exploited is crucial in reducing the likelihood and severity of such attacks.