Hack Of Federal Court Filing System Exploited Security Flaws Known Since 2020

A sweeping hack of the federal judiciary's case filing system exploited unresolved security holes discovered five years ago — allowing hacking groups to steal reams of sensitive court data in the ongoing breach.

POLITICO first reported last week that officials are concerned that multiple nation-state and criminal hacking groups exfiltrated sealed case data from at least a dozen district courts since at least July. The attack mirrored another significant breach into the court filing system in 2020 under the first Trump administration, though it was not clear until now how the hackers slipped inside the system and whether both incidents were connected.

Despite the sensitive court data that was exposed, the ongoing cyber intrusion was not particularly sophisticated and took advantage of issues previously uncovered inside the federal court filing system, according to one person with direct knowledge of the hack and one senior U.S. law enforcement official. The system — called CM/ECF — enables legal professionals to upload and manage court documents

The latest intrusion is a “continuation of the same rudimentary security issues” that have been present since 2020, said the law enforcement official. This person, like others in this story, was granted anonymity due to the sensitive and ongoing nature of the incident.

The person with direct knowledge of the breach said that investigators suspect that Russian hackers played a role in the earlier intrusion and in the current one, and have grown bolder about how much data they steal over time. That includes pilfering source code for the filing system from at least three federal district courts and vacuuming up sealed case data. That contrasts with a more targeted approach taken in the breach discovered in 2020.

The details about the methods used to infiltrate the digital filing system in recent months and in 2020, which have not been previously reported, underscore how easy it has been for foreign hackers to steal highly sensitive data held by the federal judiciary, possibly including sealed arrest and search warrants as well as information on witnesses and ongoing criminal probes.

“It was like taking candy from a baby for these guys,” said the person with direct knowledge of the hack.

The Administrative Office of the U.S. Courts, which administers CM/ECF, declined to comment. The Justice Department and the FBI did not respond to requests for comment.

The New York Times first reported Tuesday that the 2020 hack and the ongoing hack were both conducted at least in part by Russian hackers.

Judicial officials are particularly alarmed about the recent breaches because Latin American drug cartels are thought to have obtained some of that data, potentially allowing them to identify witnesses who testify against them in federal court. Federal courts across the country have scrambled to move their most sensitive activity to pen and paper, while congressional committees requested another closed briefing on the hack next month, following a briefing in late July.

The federal judiciary first began rolling out its backbone CM/ECF online case management system in the mid-1990s. It also has an external-facing side, PACER, that gives the public limited access to unsealed information.

The ongoing hack and the one first discovered in 2020 took advantage of a series of simple flaws in the way users authenticate into the CM/ECF system and query sensitive data stored there, said the two people.

The Administrative Office of the U.S. courts only said in May that it would start requiring CM/ECF users to turn on two-factor authentication when they log in — a baseline cybersecurity measure.

Federal courts were repeatedly warned about the holes in the case filing system well before the recent breach came to light.

In 2022, Rep. Jerry Nadler (D-N.Y.) said that three separate nation-state hacking groups had simultaneously breached the case filing system back in 2020. He described the incident as having a “startling breadth and scope” at the time.

And in June, Michael Scudder, who chairs the Committee on Information Technology for the federal courts’ national policymaking body, testified in Congress that CM/ECF and PACER are “unsustainable due to cyber risks.” He said the federal judiciary is planning a complete system overhaul, starting with a pilot program that would be rolled out incrementally.

The federal judiciary last week said it would roll out additional security measures to better protect its electronic case filing system in response to recent cyberattacks, saying that it had “added significant cybersecurity protections and safeguards” over the past few years.

But a major obstacle to securing the filing system has been how decentralized the federal judiciary is.

Though CM/ECF is overseen by the Administrative Office of the U.S. Courts, individual federal courts run it on their own servers and have substantial autonomy over how they manage it.

“There isn’t one CM/ECF, there are over 200 because local courts make local modifications,” said a former U.S. judge who helped manage the response to the 2020 hack.

A former senior U.S. government cybersecurity official who worked on the 2020 hack said that when it was first detected, the Justice Department had to reach out to some individual federal courts to brief them on the issue and convince them to make changes to their specific systems.

With CM/ECF, “you can’t just roll out a massive patch like Microsoft can,” the former official said.

The first person with knowledge of the breach also said that some district courts have not yet opted to install robust security monitoring tools, hindering their ability to spot hackers, and many have slow to implement needed security patches. They also cited weak implementation of two-factor authentication, but stressed it was only a small part of the problem.

Instead of technical fixes, courts across the country are opting to record their most sensitive data using pen and paper.

At least three district courts in the last three weeks have published orders that prohibit uploading sealed documents to PACER, including the Eastern District of Washington, the Eastern District of Virginia, and the Eastern District of New York. Other district courts are in the process of making those changes, POLITICO previously reported.

The CM/ECF system does not host the most sensitive national security cases prosecuted by the government. The Justice Department also takes special care to handle information on witnesses in criminal cases who face a particularly high risk or enter the witness protection program, storing that data on its own systems.

Foreign adversaries like Russia can nonetheless glean valuable information via the federal judiciary, such as prosecutions of Russian cybercriminals in the U.S., said Anne Neuberger, the top cybersecurity official in the White House during the Biden administration. “This should be a call to action for federal judges to rapidly improve the cybersecurity of court systems,” she said.

Though the recent hack has largely employed basic hacking techniques, some groups may be deploying stealthier techniques too.

The first person with knowledge of the hack said that by stealing source code, the Russians likely have extensive insight into how to pilfer sealed court data.

“They probably know more about CM/ECF than the Administrative Office of the U.S. courts,” they said.

Maggie Miller contributed reporting.