The ongoing breach affecting thousands of organizations that have relied on backdoor products through network software SolarWinds could jeopardize the privacy of countless sealed court documents lying in the U.S. federal court system, according to a memo released Wednesday by the Administrative Court (AO) of the US Courts.
The Judicial Branch Agency said it would use stricter controls for the receipt and storage of sensitive documents filed with federal courts, following a discovery that its own systems were compromised as part of the attack on the chain’s supply chain. SolarWinds. The hack involved maliciously inserting malicious code into updates provided by SolarWinds to approximately 18,000 users of its Orion network management software as early as March 2020.
“The AO is working with the Department of Homeland Security on a security audit related to vulnerabilities in the judiciary Case management / electronic case files system (CM / ECF) which is in danger of losing highly sensitive non-public documents stored on CM / ECF, especially the sealed documentation, ”the agency said in a statement on 6 January.
“An apparent compromise is currently being investigated regarding the confidentiality of the CM / ECF system due to this discovered vulnerability,” the statement continued. “Because of the nature of the attacks, the investigation into the case and its impact is ongoing.”
The AO declined to comment on specific questions about its disclosure. But a source close to the investigation told KrebsOnSecurity that the federal court system had been ‘hit hard’ by the SolarWinds attackers, who described several U.S. intelligence and law enforcement agencies as ‘likely Russians of origin’.
The source said that the intruders behind the SolarWinds compromise had cultivated the AO’s network with a second phase ‘Teardrop’ malware that goes beyond the ‘Sunburst’ malicious software update which opportunistically reaches all 18,000 customers using the compromised Orion software has been ejected. This suggests that the attackers targeted the agency for deeper access to its networks and communications.
The court document system of the AO has a publicly searchable database called PACER, and the vast majority of the files in PACER are unrestricted and are available to anyone willing to pay for the records.
But experts believe that many other documents stored in the AO system are sealed – temporarily or indefinitely by the courts or parties in a lawsuit – and may contain highly sensitive information, including intellectual property and trade secrets, or even the identity of confidential informants.
Nicholas Weaver, a lecturer in the Department of Computer Science at the University of California, Berkeley, said the court system does not contain documents that are classified for national security reasons. But he said the system was filled with sensitive sealed documentation – such as summonses for email records and so-called “trap and trace” requests that law enforcement uses to determine who a suspect is communicating with by phone, when and for how long.
“It would be a treasure trove for the Russians who know of a lot of ongoing criminal investigations,” Weaver said. ‘If the FBI has charged anyone but has not yet arrested them, it’s all under seal. Many of the investigative instruments protected under seal are filed very early in the process, often with gag orders occurring [the subpoenaed party] of the disclosure of the request. ”
The recognition of the AO comes hours after the US Department of Justice said it was also a victim of the SolarWinds intruders who took control of the department Office 365 system and access to e-mail sent or received from about three percent of the DOJ accounts (the department has more than 100,000 employees).
The SolarWinds hack also allegedly compromised email systems used by top Treasury department officials and gave the attackers access to networks in the energy, trade and homeland security departments.
The New York Times Wednesday reported that investigators are investigating whether a breach at another software vendor – JetBrains – could have caused the attack on SolarWinds. The company, founded by three Russian engineers in the Czech Republic, is making a tool called TeamCity that helps developers test and manage software code. TeamCity is used by developers at 300,000 organizations, including SolarWinds and 79 of the Fortune 100 businesses.
“Officials are investigating whether the company, which was set up by three Russian engineers in the Czech Republic with research laboratories in Russia, has been infringed and used as a way for hackers to insert backdoors into the software of countless technology companies,” The Times said. “Security experts warn that intrusion of months could be the biggest breach of US networks in history.”
Under the new procedures of the AO, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed documents will not be uploaded to CM / ECF.
“This new practice will not change the current policy regarding public access to court records, as sealed records are confidential and currently not available to the public,” the AO said.
James Lewis, senior vice president at the Csign up for Strategic and International Studies, said it was too soon to tell the true impact of the offense in the court system, but the fact that it was apparently targeted is a ‘very big case’.
“We do not know what the Russians took, but the fact that they had access to this system means that they had access to a lot of amazing things, because federal affairs usually involve fairly high targets,” he said.
Markers: Administrative Court of the U.S. Courts, Nicholas Weaver, Orion, PACER, Breaks by SolarWinds, U.S. Department of Justice
This entry was posted on Thursday, January 7th, 2021 at 6:48 pm and is filed under. You can follow any comments on this entry through the RSS 2.0 feed. You can go to the end and leave a comment. Ping is currently not allowed.