The second Trump administration has its first federal cybersecurity debacle to deal with.
A breach of the United States federal judiciary’s electronic case filing system, discovered around July 4, has pushed some courts onto backup paper-filing plans after the hack compromised sealed court records and possibly exposed the identities of confidential informants and cooperating witnesses across multiple US states.
More than a month after the discovery of the breach—and in spite of recent reports from The New York Times and Politico that Russia was involved in perpetrating the hack—it is still unclear exactly what happened and which data and systems were affected.
Politico first reported the breach of the “case management/electronic case files,” or CM/ECF, system, which may have impacted criminal dockets, arrest warrants, and sealed indictments. The CM/ECF system also suffered a breach in 2020 during the first Trump administration, and Politico reported on Tuesday that, in the recent attack, hackers exploited software vulnerabilities that remained unaddressed after being discovered five years ago in response to that first incident. Security researchers say that gaps in public information about the situation are concerning, particularly when it comes to lack of clarity on what data was affected.
“We’re more than a month into detecting this intrusion and still don’t have a full accounting of what’s impacted,” says Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy. “If we don’t have sufficient logging to reconstruct attack activity, that would be extremely disappointing, because this system has been repeatedly targeted over the years.”
In response to a request for comment, the United States Courts referred WIRED to its August 7 statement, which says the federal judiciary “is taking additional steps to strengthen protections for sensitive case documents” and “further enhancing security of the system.” The courts also mention that the “vast majority of documents filed with the Judiciary’s electronic case management system are not confidential and indeed are readily available to the public,” while conceding that “some filings contain confidential or proprietary information that are sealed from public view.”
The Department of Justice did not immediately respond to requests for comment about the scope of the breach or who perpetrated it.
Reports this week that Russia was involved in the attack or may be the sole perpetrator have been difficult to interpret, given other indications that espionage actors backed by multiple countries—and possibly organized crime syndicates—may have been involved in or piggybacking on the breach for their own exfiltration.
John Hultquist, chief analyst in Google’s Threat Intelligence Group, says it is not uncommon to see multiple actors poking at a sensitive, and potentially vulnerable, system. “Investigations are regularly targeted by cyberespionage actors from several countries,” he says.
News of the breach comes as the Trump administration has continued to slash the federal workforce, including combing intelligence and cybersecurity agencies to remove officials or pressure them to resign.
“I think federal investigators probably know who was behind the attack, but given the climate, I would suspect that no one wants to say with certainty,” Hunter Strategy’s Williams says.
Multiple administrations have struggled to get a handle on insidious espionage operations, particularly campaigns perpetrated by Chinese and Russian actors. But researchers emphasize that vulnerabilities enabling the attack on CM/ECF should have been addressed after the 2021 breach.
“Enforcing policies to require that sealed or highly sensitive documents be handled via air-gapped systems or secure isolated networks rather than through CM/ECF or PACER would have dramatically limited exposure. And this was actually recommended post-2021,” says Tim Peck, senior threat researcher at the cybersecurity firm Securonix. “Instituting consistent, centralized logging—among other things—across all disparate CM/ECF instances could have enabled earlier detection and rapid mitigation before data exfiltration escalated as far as it did.”
In other words, highly targeted systems like those of the US Courts are likely going to suffer breaches. But the best way to reduce the likelihood and severity of these attacks is to make sure you fix the flaws after they’re exploited the first time around.