Sealed U.S. court records possibly accessed by SolarWinds attackers

The Administrative Office (AO) of the U.S. Courts has revealed on Wednesday that it is investigating whether sealed U.S. court records had been accessed by the SolarWinds attackers.

In related news, SolarWinds has hired former CISA director Chris Krebs and Stanford Uni professor and former Facebook CSO Alex Stamos to help them recover from the hack that lead to compromises of a considerable number of businesses (including FireEye and Microsoft) and US government agencies.

The extent of the compromise of the Judiciary systems is still unknown

The AO said that when, in mid-December, the CISA issued an emergency directive regarding the compromise of SolarWinds Orion products, “the Judiciary has suspended all national and local use of this IT network monitoring and management tool.”

The AO is now working with the Department of Homeland Security “on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF” and has announced new security procedures to protect highly sensitive confidential documents filed with the courts.

From now on, these types of documents “will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system,” and not be uploaded to CM/ECF.

Sealed court records may contain a variety of very sensitive information, such as details about how law enforcement managed to get information during an investigation and names of people that haven’t yet been arrested but for whom indictments have been drawn up.

Add to this the Wednesday confirmation that the SolarWinds intruders also managed to access the Department’s Microsoft O365 email environment and the mailboxes of 3 percent of U.S. Justice Department email accounts, and it’s easy to see how thusly gleaned sensitive information may help hackers (whether they are opportunist attackers or, as purported, backed by a nation).

SolarWinds gets outside help

Texas-based SolarWinds have first called in CrowdStrike to help with the investigation.

On Thursday, they have hired Krebs and Stamos – who recently founded a new cybersecurity consultancy – to provide guidance for strengthening the company’s security posture.

Krebs, who was the first director of the Cybersecurity and Infrastructure Security Agency and was fired from the post by President Trump in November 2020, and Stamos, who served as CSO at Yahoo, Facebook, and is a security and privacy advisor consultant for Zoom, have told the Financial Times that it could take years before all of the compromised systems can be made completely secure again.