The staggering revelations about the impact of the ‘SolarWinds’ attacks come daily and never cease to startle with their weight. The latest piece of troubling finding comes from a memo released by the Administrative Office of the U.S. Courts, informing all stakeholders of the federal court system that a large number of sealed court documents have been accessed by the ‘SolarWinds’ hackers.
This event’s implications are dire, as these are documents detailing ongoing legal actions, investigation details, incrimination elements, and confidential data that was not meant to be made public now, or ever.
The most valuable information that the hackers may have accessed this time is the sealed filings of subpoenas that concern email and telephone communication investigations. This is precisely what would tell these hackers who the law enforcement authorities in the United States are targeting, whose communications are being scrutinized, and who may soon be summoned by the police. This essentially blows the cover of secret investigations and renders several high-profile operations worthless now.
The intrusion involved the Orion network management software that was compromised via a malicious update that planted the “sunburst” backdoor, potentially exploited by Russian state-supported actors. According to investigator Brian Krebs, the actors managed to plant the second-stage “Teardrop” malware in this case, so things went further. The hackers were looking to gain deeper access to the federal justice system’s networks and communications, and it appears that they have managed that.
The Administrative Office is now working with the Department of Homeland Security on a security audit that will hopefully ensure that all systems are cleaned and protected from future risks. Only yesterday, the U.S. Department of Justice admitted that ‘SolarWinds’ hackers accessed 3% of its email accounts, which corresponds to about 3,000 users. It is unknown if the two are related in any way, and at this point, it doesn’t matter much as everything will have to be scrutinized before it is re-deployed.
The Administrative Office stated that they will now stop uploading these highly-sensitive documents onto restricted systems and instead will secure them in isolated computers accessible only via MFA hardware keys. The rest of the records will remain accessible by the public as previously.