A breach of an electronic records system used by the US federal courts for filing and case management is being investigated by the Justice Department, which is keeping most of the details of the incident from the public. However, recent testimony from House Judiciary Committee Chair Jerrold Nadler has revealed that the data breach first took place in early 2020 and may have had a window stretching into early 2021.
Data breach of federal courts acknowledged in early 2021, but new testimony indicates it happened in early 2020
The US federal courts issued a statement in January 2021 acknowledging a “significant” data breach of its Case Management/Electronic Case Files (CM/ECF) records system, and issuing instructions for highly sensitive documents to be filed by hand on paper until the issue was resolved. A security audit was announced, but details about the incident have been thin ever since.
The new testimony from Nadler indicates that the data breach dates back to early 2020, leaving the possibility that someone had surreptitious access to the records system for almost the entirety of that year. Among the few other details revealed at the Justice Department hearing were that “three foreign hostile actors” were involved and that the attack was “startling in breadth and scope” and that it may have had a “staggering” impact on the Department of Justice. Testimony at the hearing also clarified that this was something distinct from the wave of SolarWinds attacks in 2020, and that the full length and extent of the data breach was not discovered until March 2022.
Assistant Attorney General for National Security Matthew Olsen also testified at this hearing and said that the number of cases impacted by the data breach could not be disclosed at this time for security reasons. Olsen did indicate that he could not think of any cases being pursued by the federal courts that might be impacted by the breach.
There remains some confusion over potential ties to the SolarWinds incident. Nadler’s testimony indicates that this is an entirely different breach, but the 2021 notice issued by the federal courts indicated that they may be connected. This may have been an assumption in January 2021, however, as SolarWinds had just been discovered shortly before that and was a hot topic at the time.
Sen. Ron Wyden, who sits on the Senate Intelligence Committee, has penned a letter to the Administrative Office of the U.S. Courts expressing “serious concerns” about the possibility of the federal courts hiding information from the government about the impact on the records system. Wyden noted that officials have repeatedly refused requests to engage in unclassified briefings of Congress.
Roger Grimes, Data Driven Defense Evangelist with KnowBe4, points out that the language Nadler used implies that there may well have been multiple breaches that made use of the same entry point: “Three hostile foreign actors doesn’t mean they discovered three individual human hackers. It means three different, likely unrelated, foreign groups. They’ve likely been in there for awhile, months to years. It may be shocking to some, but this is not that unusual. I’ve been in large companies where they had 8 different hacking groups, some fighting the others in an unseen King of the Hill battle. I’ve seen hackers apply the patches that the owners didn’t apply to keep other attackers out. No one should single out the Justice Department as some weakly secured organization. They may not be the most secure organization, but probably 90% of all organizations have the same level of security risk … It’s like a homeowner who is constantly having people break into his house knows that the attackers are mostly doing so by coming through the windows and decides he needs stronger doors to ward off future thieves. That’s an apt description of the world’s current computer security defenses. We know how we’re being broken into, but for some reason we keep doing everything else and wonder why it’s not working.”
Length of compromise of records system, extent of damage remains unknown
While the government is being tight-lipped about how much damage was done to the federal courts or exactly who was behind the attack on the records system, Olsen’s office is generally only involved in these matters when nation-state hackers are also involved. That, and the sophistication of the attack along with Nadler’s comments about foreign actors, points to the usual rogue’s gallery of advanced persistent threat (APT) groups that devote substantial time and resources to spying on the United States: Russia, China, Iran or North Korea.
The federal courts have announced security changes in response to the Justice Department’s investigation, but these will not impact the general public’s interactions with the system. Internal security changes to the records system involve reinstating the special procedures for certain highly sensitive files, requiring them to either be submitted on paper or via a secure thumb drive. These sensitive documents are also being moved to a stand-alone system with enhanced security. And though it is supposedly not involved in this particular data breach, SolarWinds’ Orion monitoring platform has been banned from the federal courts as well.
The federal government has been struggling with a string of major data breaches since 2014, when the records system of the Office of Personnel Management was compromised exposing over 22 million files pertaining to nearly every government employee and retiree. China’s state-sponsored hackers were accused of that attack. This kicked off a chain that included the breaches of the Democratic National Committee and Congressional Campaign Committee email systems ahead of the 2016 election, the “BlueLeaks” breach of law enforcement “fusion centers” used by some federal agencies, the SolarWinds attack on multiple federal agencies, and a breach of Defense Department travel records. Most of these incidents were ultimately tied to Russian state-sponsored APT groups.
Tim Marley (VP Audit, Risk & Compliance, Field CISO) at Cerberus Sentinel speculates on how much damage this data breach potentially did to the federal courts, and what involvement vendors might have had (other than the presence of SolarWinds) in the incident: “We’ve learned to measure risk by examining threats, vulnerabilities and the potential impact to our assets, including systems and data. When you look at the “startling breadth and scope” of the breach and the references to adversaries including Russia and China, it does make you question whether anyone evaluated the risk associated with this system ahead of time. If the risks were adequately identified and scored, then what sort of decision was made in response? … The comments by Rep. Sheila Jackson Lee would indicate substantial operational impacts that may very well have led to the dismissal of court cases without trial. Again, with impacts this significant, it’s difficult to understand why stronger preventative measures weren’t already in place … We depend on the services and products of third parties to manage our information systems in today’s environment. It is still our responsibility to ensure that these products and services are secure. Further, we need to have a response plan for when those products and services fail to meet our expectations. A mature Third-Party Risk Management (TPRM) program requires that we assess those vendors that could directly impact the confidentiality, integrity or availability of our systems and data. These assessments should be conducted prior to engaging with a new vendor and no less than annually for existing vendors.”