The US federal courts got hacked, but won’t say how badly

Your honor, may I hack the bench? The US Courts’ electronic filing system suffered “an incredibly significant and sophisticated” cyberattack in December 2020, over 18 months ago—but the only thing clear so far is that members of Congress suspect the judiciary is downplaying how bad the breach really was.

That description of the attack comes via House Judiciary Committee chair Representative Jerrold Nadler, who said in a hearing on July 28 that it involved “three hostile foreign actors” and “had lingering impacts on the [federal court system] and other agencies.” According to the Register, Assistant Attorney General for National Security Matthew Olsen told members of the committee that the Department of Justice is investigating but failed to share any specifics on what happened.

What is known is that in January 2021, judiciary officials acknowledged a breach of the Case Management/Electronic Case Files (CM/ECF) system, writing vulnerabilities “greatly risk compromising highly sensitive non-public documents” like sealed court filings. Nadler suggested the CM/ECF breach was not related to the massive SolarWinds hack, in which attackers inserted malicious code into Orion network management software to compromise potentially hundreds of customers in the private and public sector—including over a dozen federal agencies, such as the judiciary.

What, me, worry? A breach of the system could potentially expose records related to all manner of federal litigation, including sealed records related to pending cases or national security matters. Olsen told Nadler at the hearing that he wasn’t aware of any cases in his division that had been “materially impacted, prolonged, or dismissed” due to the breach. In January 2021, Courthouse News noted, the federal judiciary began asking for “highly sensitive” documents to be submitted via paper or hard storage rather than digitally for security reasons.

Politico separately reported that a committee aide anonymously confirmed the impact on the DOJ was “staggering.” The same day as the hearing, Senator Ron Wyden released a letter to the Administrative Office of the US Courts expressing “serious concerns that the federal judiciary has hidden from the American public and many members of Congress the serious national security consequences” of the attack, adding the judiciary “has yet to publicly explain what happened” and has refused multiple requests by Congress to conduct unclassified briefings (which members could then publicly share).

Wyden cited a recent General Services Administration review that found decentralization and complexity of the outdated system had resulted in “system instability, high maintenance costs, and system risks,” but he told Politico he couldn’t go into further detail due to rules about handling classified data. He additionally slammed the agency for opposing legislation that would modernize the CM/ECF and ensure it meets the “same cybersecurity standards” applicable to other agencies.

Nadler’s office did not return a request for comment from IT Brew. A DOJ spokesperson restated the agency’s policy of declining to speak about specific investigations, “whether hypothetical or ongoing.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.