An investigation has been launched into the impact of the SolarWinds breach on the computer systems used by federal courts in the United States, which reportedly represented a target of interest to the hackers.
The Administrative Office (AO) of the U.S. Courts said an investigation was launched in mid-December after the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive instructing all federal agencies to immediately analyze their systems for evidence indicating that they may have been targeted through the Orion monitoring tool developed by SolarWinds.
The judiciary ordered all local and national courts to stop using the Orion software, but it may have been too late as the attackers could have already accessed highly sensitive information, including sealed documents.
A majority of the documents in the federal court system are available to the public, either for free or a small fee, but sealed filings often contain sensitive information that should not be made public.
“The AO is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing,” the public was told on Wednesday.
The judiciary announced that it has started rolling out additional safeguards to protect sensitive court records — highly sensitive court documents will only be accepted by federal courts on paper or via an electronic device such as a thumb drive, and they will be stored on a secure stand-alone computer rather than the CM/ECF system.
Investigative journalist Brian Krebs said he learned from sources that federal courts were actually “hit hard” by the SolarWinds breach, with the attackers delivering a piece of malware named Teardrop to its systems.
The threat group behind the SolarWinds supply chain attack, which the U.S. government believes is backed by Russia, leveraged trojanized updates for the Orion software to deliver a piece of malware named Sunburst to the Texas-based company’s customers. While the Sunburst malware has been delivered to thousands of organizations, the Teardrop malware was likely only sent by the attackers to a few hundred victims that were considered important targets.
The potential impact of the SolarWinds hack on federal courts was announced on the same day the U.S. Justice Department announced that it too was hit and the attackers may have accessed some Microsoft 365 email accounts. The DoJ claimed there was no evidence that classified systems were compromised.