Sealed US court records revealed in SolarWinds breach – Krebs on Security


The continuing breach affecting thousands of organizations that relied on hijacked products by a network software company SolarWinds may have compromised the confidentiality of countless sealed court documents filed with the U.S. federal court system, according to a note released by the US Courts Administrative Office (AO).

The court agency said it would roll out tighter controls for the receipt and storage of sensitive documents filed in federal courts, following a discovery that its own systems had been compromised as part of the SolarWinds supply chain attack. This intrusion involved malicious code surreptitiously inserted into updates sent by SolarWinds to some 18,000 users of its network. Orion network management software from March 2020.

“The AO is working with the Department of Homeland Security on a security audit of vulnerabilities in the justice system Electronic case management / records system (CM / ECF) which has a high risk of compromising highly sensitive non-public documents stored on CM / ECF, in particular sealed repositories, ”the agency said in a January 6 statement.

“An apparent compromise in the confidentiality of the CM / ECF system due to these discovered vulnerabilities is currently under investigation,” the statement continued. “Due to the nature of the attacks, the review of this case and its impact is ongoing.”

The AO declined to comment on specific questions regarding their breach disclosure. But a source close to the investigation told KrebsOnSecurity that the Federal Court’s documentation system had been “hit hard” by the SolarWinds attackers, who several US intelligence and law enforcement agencies attributed to “probably original. Russian”.

The source said that the intruders behind the SolarWinds compromise seeded the AO network with second-stage “Teardrop” malware that went beyond updating the “Sunburst” malware that was released so far. opportunistically to the 18,000 customers using compromised Orion software. This suggests that the attackers were targeting the agency for deeper access to its networks and communications.

The AO court documents system powers a publicly searchable database called PACER, and the vast majority of PACER files are unrestricted and accessible to anyone willing to pay for the documents.

But experts say many other documents stored in the AO’s system are sealed – temporarily or indefinitely by courts or parties to a legal case – and may contain highly sensitive information, including intellectual property and secrets. commercial, or even the identity of confidential informants.

Nicolas weaver, a professor in the computer science department at the University of California at Berkeley, said the court documents system does not contain classified documents for national security reasons. But he said the system is rife with sealed confidential documents – such as subpoenas for email records and so-called “trap and trace” requests that law enforcement officials use to determine with whom a suspect communicates by phone, when and for how long.

“It would be a treasure for the Russians who know of many ongoing criminal investigations,” Weaver said. “If the FBI has charged someone but hasn’t arrested them yet, it’s all under seal. Many of the investigative tools that are protected under seal are filed very early in the process, often with gag orders that prevent [the subpoenaed party] to disclose the request. “

The acknowledgment of receipt of the AO takes place a few hours after the US Department of Justice said he was also a victim of intruders from SolarWinds, who took over the department Office 365 system and accessed emails sent or received from approximately three percent of DOJ accounts (the department has over 100,000 employees).

The SolarWinds hack also reportedly compromised the messaging systems used by senior Treasury Department officials and allowed attackers to gain access to the networks of the departments of energy, commerce and homeland security.

The New York Times reported Wednesday that investigators were examining whether a breach at another software vendor – JetBrains – could have precipitated the attack on SolarWinds. The company, which was founded by three Russian engineers in the Czech Republic, makes a tool called TeamCity that helps developers test and manage software code. TeamCity is used by developers from 300,000 organizations, including SolarWinds and 79 of the Fortune 100 companies.

“Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, has been raped and used as a way for hackers to insert backdoors into the software of a countless number of technology companies, ”The Times told me. “Security experts warn that this months-long intrusion could be the biggest breach in U.S. networks in history.”

Under the new AO procedures, highly sensitive court documents filed in federal courts will be accepted for filing on paper or through a secure electronic device, such as a USB flash drive, and stored in a secure stand-alone computer system. These sealed documents will not be uploaded to CM / ECF.

“This new practice will not change current policies regarding public access to court records, as sealed records are confidential and are not currently accessible to the public,” said the AO.

James lewis, senior vice-president at Center for strategic and international studies, said it was too early to tell the true impact of the violation on the justice system, but the fact that they were apparently targeted is “a very big deal.”

“We don’t know what the Russians took, but the fact that they had access to this system means that they had access to a lot of interesting things, as federal affairs tend to involve quite large targets.” , did he declare.

Tags: US Courts Administrative Office, Nicholas Weaver, Orion, PACER, SolarWinds violation, US Department of Justice

Source link