DOJ, US Court System Latest To Announce They're Victims Of The Massive Solarwinds Hack

from the COVID-but-for-networked-systems dept

The hits just keep on coming for US federal agencies affected by the massive Solarwinds hack. State-sponsored hackers -- presumably Russian -- leveraged Solarwinds' massive customer base and compromised update server to infect systems around the world. Here in the United States, a possible 18,000 Solarwinds customers are affected… as are their users and customers, which brings the possible number of infected back up into the millions.

The DHS's cyber wing, CISA, issued a warning about the hack, noting that the only solution was to air gap affected systems and delete the compromised Orion software. Hours later, the entity warning other federal agencies about the hack announced it too had been hacked, making the whole thing a bit Monty Python-esque.

The list of federal agencies affected by this advanced persistent threat continues to grow. The Department of Commerce was one of the first to discover a breach. This was followed by announcements of suspected breaches at the US Postal Service and the Department of Agriculture. The Defense Department has also noted it's affected, although it has yet to deliver any specifics about the multitude of agencies it oversees.

The DHS, Department of Energy, and the National Nuclear Security Administration have also been breached. The latest news adds a couple more federal agencies/operations to the list.

The DOJ says it's been breached, but appears to believe the damage is minimal. That doesn't seem to jibe with the details of the statement, which says an email system used by damn near everyone was the target.

On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others. This activity involved access to the Department’s Microsoft O365 email environment.

After learning of the malicious activity, the OCIO eliminated the identified method by which the actor was accessing the O365 email environment. At this point, the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted.

There's a lot of sensitive information floating around the DOJ, given the large number of federal investigations and prosecutions it oversees. The breach could be even more severe than this indicates, given this breach announcement, which affects an adjacent branch of the government.

The AO [Administrative Office of the US Courts] is working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings. An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation. Due to the nature of the attacks, the review of this matter and its impact is ongoing.

Hackers may have obtained access to sealed dockets and documents, including warrants, affidavits, and other investigative/prosecutorial filings that haven't been made public. Not only would this include investigative techniques, information on informants, and other sensitive information tied to ongoing investigations and prosecutions, it also affects a multitude of private individuals and companies who have been allowed to litigate under seal to protect personal/confidential info that could cause serious damage to litigants if made public.

Sure, there's a presumption of openness in the court system, but there's still a lot of stuff filed under seal, at least temporarily. Publication of sealed documents could conceivably cause damage to people, places, and things… even if the government tends to overstate the damage when asking judges for secrecy.

For the time being, the US Courts system will require all sensitive filings to be done in paper form or via "secure electronic devices." These will be stored in a standalone system that's completely walled off from the CM/ECF system that's accessible via PACER. This new process won't affect every sealed document, though -- just the ones the courts consider to be "highly-sensitive."

[M]ost documents similar to and including presentence reports, pretrial release reports, pleadings related to cooperation in most criminal cases, Social Security records, administrative immigration records, and sealed filings in many civil cases likely would not be sufficiently sensitive to require HSD [highly sensitive court documents] treatment and could continue to be sealed in CM/ECF as necessary.

Given the interconnectedness of the internet of government things, a breach in one location can easily result in cross-pollination. Just because an agency hasn't discovered a breach yet doesn't mean a malicious hacker hasn't established a foothold in the system. The end of this long international nightmare is still well over the horizon. The popularity of Solarwinds' products made it too tempting of a target to pass up.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, doj, hack, us courts
Companies: solarwinds


Reader Comments

Subscribe: RSS

View by: Thread


  1. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Jan 2021 @ 10:43pm

    Nobody gives a shit.

    reply to this | link to this | view in thread ]

  2. This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 11 Jan 2021 @ 10:43pm

    Stupid cunts.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 12 Jan 2021 @ 1:51am

    And these jokers want to slurp up even more of our personal data when they can't even protect what they have.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 12 Jan 2021 @ 6:43am

    Just a question, as this could get much more interesting.

    Does anyone here know where the U. S. government keeps the design specifications, manufacturing specifications, the training and deployment documents for it's nuclear weapons and their systems? Also, what about the technical documents for the "Flying Ginsu" and other creative methods of mayhem?

    As any good engineer knows, if competent engineering talent has the aforesaid documents, then reverse engineering the systems is easy. Further, with reverse engineered systems detailed exploration for flaws is also easy. So, on which computer systems are the nuclear documents stored?

    Also, people like the CIA are document bound. Where are the CIA plans, activities reports, lists of domestic & foreign agents, contacts, collaborators and so on stored.?

    How about deployment data and status of the U. S. ballistic submarine fleet, where is that data stored?

    This could get very interesting, rather quickly. Unfortunately, if any of the above systems (or those like them) are compromised then things could get rather bloody quickly also.

    Obviously the U. S. government would deny that those systems have been compromised, regardless of reality.

    reply to this | link to this | view in thread ]

  5. icon
    ECA (profile), 12 Jan 2021 @ 12:01pm

    This is getting beyond comedic.

    Please understand. THISis a major corp thats supposed to be monitoring system for security. and they Didnt do What?

    1. a Software developer receives a DLL, (driver update) and does not check to see its from the Hardware maker(??), and if it is from the maker(maybe) ask for a copy of the programming, just to be secure.
    2. this DLL, seems to be going around the world which, generally, means every system needs this driver?
    3. security for security sake. How many of these systems have secondary protections. Like programmers to Evaluate the NEW part of a working system? Or a monitor and trace system to know what data is being used, and taken, or if something changes in the Running system, that WASNT running before?

    Anyone on this site. How many of you have More then 1 program to protect your systems? Recently Many of our protects are spreading out and covering more things. You may not use more then 1-2 programs. But there are Allot of things you can do. and something here it the above situation, seems abit off.

    This took over 6 months to Notice things had changed on the system? No evaluation that the NEW DLL was needed?
    The distribution of this updated program is abit strange. was it a direct Download, or a central distribution from the gov.?

    https://www.defensenews.com/pentagon/2020/07/13/michael-kratsios-white-house-cto-named-to-top- pentagon-tech-job/
    AND why isnt this person doing his job?

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 12 Jan 2021 @ 1:24pm

    Just because an agency hasn't discovered a breach yet

    One assumes on is breached.

    In fact, this should be normal thinking procedure whether or not a threat or breaching has occurred anywhere.

    Idiots.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 12 Jan 2021 @ 9:30pm

    Re: This is getting beyond comedic.

    1. DLL's are not hardware drivers per se, and the vast majority of dll's you may encounter have nothing to do with hardware drivers at all. There was no hardware system directly involved here. Just the Solarwinds software.

    2. Solarwinds is the largest provider of enterprise network monitoring and management software in the world, so yes it got deployed within a very large number of networks.

    3. Most likely many of them, which was why the compromised component contained a variety of classes and routines normally used in the functionality of the software. The malware component remains dormant until a randomly selected time 12-14 days after installation on a system (presumably in an attempt to avoid any initial screening periods customers use as part of their own security before deploying more widely). It also contained an extensive obscufated blocklist of anti-virus tools, which if present it seeks to temporarily disable or absent that halt its own activity. After that, it hides communications within traffic designed to mimic normal solarwinds software communications.

    *This took over 6 months to Notice things had changed on the system?

    They took 0 days to notice things had changed, changing things is literally the definition of installing new software. It took months to realize that the software solarwinds provided wasn't only doing the things it was supposed to.

    No evaluation that the NEW DLL was needed?

    The dll they received was neither independent nor "new", but a normal part of the software package provided directly by the manufacturer (Solarwinds).

    was it a direct Download, or a central distribution from the gov.?

    In any large organization, the IT department receives software directly from the manufacturer, then acts as a central "distributor" within the organization.

    AND why isnt this person doing his job?

    Solarwinds was compromised at least 8 months before he was appointed, and the compromised software was distributed from them at least 2 months before he was appointed. If you want to blame someone, at least obey the laws of causality.

    reply to this | link to this | view in thread ]

  8. icon
    ECA (profile), 13 Jan 2021 @ 12:09am

    Re: Re: This is getting beyond comedic.

    "Solarwinds is the largest provider of enterprise network monitoring and management software in the world, so yes it got deployed within a very large number of networks."

    Fine..WHO WROTE IT? And Why, did they release a Dll, into their Program, IF they didnt know what it was going to do??
    It had to come from someone outside the company, What World wide company would WANT every nation and Corp AT THEIR DOOR.

    AND, there are reasons for hardware DLL, Which I dont think they mentioned What the USE was for. As far as Iv heard, you dont even know if its a Printer driver, or to monitor Anything.
    AND IMO depending on 1 form of system monitoring is Stupid in this time.

    reply to this | link to this | view in thread ]

  9. icon
    ECA (profile), 13 Jan 2021 @ 1:37pm

    Re:

    you always know there is one, because There WILL be one, if you dont Care for everything.
    But this is huge. And the info is very scarce. As where did the DLL come from. That alone is a security issue. Then No one evaluated/examined the DLL from a 3rd party? Another issue. depending on Any software to be Perfect, and your OWN monitoring is absent? Another issue.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories
.

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.