The continuing breach affecting thousands of organizations that depended on backdoored products from network software companies SolarWinds may have jeopardized the privacy of numerous sealed court documents on file with the U.S. federal court system, according to a memo released on Wednesday by Administrative Office (AO) of the US Courts.
The Judiciary Agency said it would implement tighter controls for receiving and storing confidential documents filed in federal courts after the discovery that its own systems were compromised as part of the attack on SolarWinds’ supply chain. This intrusion involved malicious code clandestinely inserted in updates sent by SolarWinds to about 18,000 users of its Orion network management software as early as March 2020.
“AO is working with the Department of Homeland Security on a security audit related to vulnerabilities in the Judiciary Case management / Electronic case files (CM / ECF) which is at great risk of compromising highly sensitive non-public documents stored in the CM / ECF, particularly sealed files, ”said the agency in a statement published on January 6.
“An apparent compromise in the confidentiality of the CM / ECF system due to these discovered vulnerabilities is currently under investigation,” continues the statement. “Due to the nature of the attacks, the review of this issue and its impact is ongoing.”
The AO declined to comment on specific issues regarding the disclosure of the violation. But a source close to the investigation told KrebsOnSecurity that the federal court’s document system was “hard hit” by SolarWinds attackers, which several US intelligence and law enforcement agencies have attributed as “likely Russian origin”.
The source said the attackers behind the SolarWinds compromise have seeded the AO network with second-stage malware “Teardrop” that has gone beyond the update to the malicious “Sunburst” software that was timely sent to all 18,000 customers using the software Orion compromised. This suggests that attackers were directing the agency towards deeper access to its networks and communications.
AO’s court document system feeds a publicly searchable database called PACER, and the vast majority of PACER files are unrestricted and available to anyone willing to pay for the records.
But experts say that many other documents stored in the AO system are sealed – either temporarily or indefinitely by courts or parties to a legal matter – and may contain highly confidential information, including intellectual property and trade secrets, or even the identities of confidential informants. .
Nicholas Weaver, a professor in the computer science department at the University of California, Berkeley, said the court’s document system does not contain classified documents for national security reasons. But he said the system is full of classified confidential documents – such as subpoenas for e-mail records and so-called “track and trace” requests that police officers use to determine who a suspect is communicating with over the phone, when and by how much time.
“This would be a treasure for the Russians, knowing that many criminal investigations are underway,” said Weaver. “If the FBI has indicted someone, but hasn’t yet arrested him, it’s all under wraps. Many of the investigative tools that are protected with a seal are filed early in the process, often with orders of silence that prevent [the subpoenaed party] to disclose the request. “
AO recognition comes hours after the US Department of Justice said he was also a victim of SolarWinds intruders, who took control of the department Office 365 system and accessed email sent or received from about three percent of DOJ accounts (the department has more than 100,000 employees).
The SolarWinds hack also jeopardized the email systems used by key Treasury Department employees and gave attackers access to networks within the Energy, Commerce and Homeland Security departments.
The New York Times on Wednesday, it reported that investigators are examining whether a breach at another software vendor – JetBrains – may have precipitated the attack on SolarWinds. The company, which was founded by three Russian engineers in the Czech Republic, creates a tool called TeamCity that helps developers to test and manage the software code. TeamCity is used by developers in 300,000 organizations, including SolarWinds and 79 of the Fortune 100 companies.
“The authorities are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, has been breached and used as a way for hackers to insert back doors into the software of countless technology companies,” The Times said. “Security experts warn that a month-long intrusion could be the biggest breach of US networks in history.”
Under the new AO procedures, highly confidential court documents filed in federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored on an independent and secure computer system. These sealed documents will not be uploaded to the CM / ECF.
“This new practice will not change current policies regarding public access to the records, as the sealed records are confidential and are currently not available to the public,” said the AO.
James Lewis, senior vice president of Center strategic and international studies, said it is too early to say the true impact of the breach on the judicial system, but the fact that they were apparently targeted is a “big deal”.
“We don’t know what the Russians took, but the fact that they have access to this system means that they have had access to many good things, because federal cases tend to involve well-known targets,” he said.
Tags: Administrative Office of the US Courts, Nicholas Weaver, Orion, PACER, Violation of SolarWinds, US Department of Justice
This entry was posted on Thursday, January 7th, 2021 at 18:48 and is filed under Data breaches. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.