DOJ, US Court System Latest To Announce They're Victims Of The Massive Solarwinds Hack

from the COVID-but-for-networked-systems dept

The hits just keep on coming for US federal agencies affected by the massive Solarwinds hack. State-sponsored hackers -- presumably Russian -- leveraged Solarwinds' massive customer base and compromised update server to infect systems around the world. Here in the United States, a possible 18,000 Solarwinds customers are affected… as are their users and customers, which brings the possible number of infected back up into the millions.

The DHS's cyber wing, CISA, issued a warning about the hack, noting that the only solution was to air gap affected systems and delete the compromised Orion software. Hours later, the entity warning other federal agencies about the hack announced it too had been hacked, making the whole thing a bit Monty Python-esque.

The list of federal agencies affected by this advanced persistent threat continues to grow. The Department of Commerce was one of the first to discover a breach. This was followed by announcements of suspected breaches at the US Postal Service and the Department of Agriculture. The Defense Department has also noted it's affected, although it has yet to deliver any specifics about the multitude of agencies it oversees.

The DHS, Department of Energy, and the National Nuclear Security Administration have also been breached. The latest news adds a couple more federal agencies/operations to the list.

The DOJ says it's been breached, but appears to believe the damage is minimal. That doesn't seem to jibe with the details of the statement, which says an email system used by damn near everyone was the target.

On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment.

After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.

There's a lot of sensitive information floating around the DOJ, given the large number of federal investigations and prosecutions it oversees. The breach could be even more severe than this indicates, given this breach announcement, which affects an adjacent branch of the government.

The AO [Administrative Office of the US Courts] is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing.

Hackers may have obtained access to sealed dockets and documents, including warrants, affidavits, and other investigative/prosecutorial filings that haven't been made public. Not only would this include investigative techniques, information on informants, and other sensitive information tied to ongoing investigations and prosecutions, it also affects a multitude of private individuals and companies who have been allowed to litigate under seal to protect personal/confidential info that could cause serious damage to litigants if made public.

Sure, there's a presumption of openness in the court system, but there's still a lot of stuff filed under seal, at least temporarily. Publication of sealed documents could conceivably cause damage to people, places, and things… even if the government tends to overstate the damage when asking judges for secrecy.

For the time being, the US Courts system will require all sensitive filings to be done in paper form or via "secure electronic devices." These will be stored in a standalone system that's completely walled off from the CM/ECF system that's accessible via PACER. This new process won't affect every sealed document, though -- just the ones the courts consider to be "highly-sensitive."

[M]ost documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, administrative immigration records, and sealed filings in many civil cases likely would not be sufficiently sensitive to require HSD [highly sensitive court documents] treatment and could continue to be sealed in CM/ECF as necessary.

Given the interconnectedness of the internet of government things, a breach in one location can easily result in cross-pollination. Just because an agency hasn't discovered a breach yet doesn't mean a malicious hacker hasn't established a foothold in the system. The end of this long international nightmare is still well over the horizon. The popularity of Solarwinds' products made it too tempting of a target to pass up.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, doj, hack, us courts
Companies: solarwinds

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 12 Jan 2021 @ 9:30pm

    Re: This is getting beyond comedic.

    1. DLL's are not hardware drivers per se, and the vast majority of dll's you may encounter have nothing to do with hardware drivers at all. There was no hardware system directly involved here. Just the Solarwinds software.

    2. Solarwinds is the largest provider of enterprise network monitoring and management software in the world, so yes it got deployed within a very large number of networks.

    3. Most likely many of them, which was why the compromised component contained a variety of classes and routines normally used in the functionality of the software. The malware component remains dormant until a randomly selected time 12-14 days after installation on a system (presumably in an attempt to avoid any initial screening periods customers use as part of their own security before deploying more widely). It also contained an extensive obscufated blocklist of anti-virus tools, which if present it seeks to temporarily disable or absent that halt its own activity. After that, it hides communications within traffic designed to mimic normal solarwinds software communications.

    *This took over 6 months to Notice things had changed on the system?

    They took 0 days to notice things had changed, changing things is literally the definition of installing new software. It took months to realize that the software solarwinds provided wasn't only doing the things it was supposed to.

    No evaluation that the NEW DLL was needed?

    The dll they received was neither independent nor "new", but a normal part of the software package provided directly by the manufacturer (Solarwinds).

    was it a direct Download, or a central distribution from the gov.?

    In any large organization, the IT department receives software directly from the manufacturer, then acts as a central "distributor" within the organization.

    AND why isnt this person doing his job?

    Solarwinds was compromised at least 8 months before he was appointed, and the compromised software was distributed from them at least 2 months before he was appointed. If you want to blame someone, at least obey the laws of causality.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.