It all takes me back to those simple, early James Bond movies about microfilm smuggling. And Martinis.
2 February 2021 (Chania, Crete) – The US court system has banned the electronic submission of legal documents in sensitive cases out of concern that Russian hackers have compromised the filing system.
In an extraordinary order handed down to all federal courts late last week – here is just one example being distributed – any documents that “contain information that is likely to be of interest to the intelligence service of a foreign government” will now have to be physically printed out and provided in a physical format. The decision follows concerns last month that as a result of the SolarWinds fiasco – in which suspected Kremlin spies gained access to the networks of multiple U.S. government departments via backdoored IT tools – the court system itself was hacked, making Highly Sensitive Documents (HSDs) accessible.
NOTE: The Russian hack extends far beyond SolarWinds software. Close to a third of the victims didn’t run the SolarWinds software initially considered the main avenue of attack for the hackers, according to the most recent investigator reports issued yesterday. The new revelations have now fuelled concern that the Russian hack goes far beyond SolarWinds and has exploited vulnerabilities in business software used daily by millions, far beyond what was first suspected with SolarWinds. Approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds. I will have more later this week when I start my new cyber series “Beyond SolarWinds”.
The new rules don’t apply to whole cases but to any documents that would be viewed as HSDs. HSDs typically involve national security, foreign sovereign interests, criminal activity related to cybersecurity or terrorism, investigation of public officials, the reputational interests of the United States, and extremely sensitive commercial information likely to be of interest to foreign powers. In other words, stuff you don’t want the Russians, or Chinese, or North Koreans, or whoever, reading. That means sensitive wiretap details will go paper as well as any pleadings or offers to cooperate, and so on.
Typically those documents are filed through the court system’s electronic filing system but are sealed, requiring specific login access. Despite the online system’s shortcomings (it is clunky, has a dreadful search function and a horribly outdated UI), it has proven an extremely useful resource and allows for quick provision and access to documents.
But, as the notice says:
“In response to recent disclosures of wide-spread breaches of both private sector and government computer systems, federal courts are immediately adding new security procedures to protect highly sensitive documents filed with the courts.”
The federal courts were working with the Department of Homeland Security on an audit of the system, but soon outsourced to cyber security vendors because the nature of the breach was far too complex and sophisticated for an internal audit.
Going forward “highly sensitive documents” will have to be submitted to the courts on paper or on a secure electronic device. Each court will make its own determination about which documents are highly sensitive.
As a result, lawyers involved in such cases will have to print out any highly sensitive documents and then hand-deliver them to the courthouse. Those documents will then be uploaded to a computer at the courthouse that isn’t connected to any network. And lawyers will then have to travel to the court and to that computer to gain access to the docs. Something which is, of course, made even harder thanks to COVID-19 pandemic protocols.
Aside from that, however, security experts now realize the potential impact of the Russian government having copies of thousands of highly sensitive non-public documents. Access to large quantities of information on ongoing cases, including who the US government is monitoring and any deals people may be cutting, would be a treasure trove for a foreign intelligence agency.
NOTE: It is not believed access was gained to the most sensitive U.S. court – the secretive FISA aka Foreign Intelligence Surveillance Court – which runs its own system that is not connected to other networks.
But as noted on many cyber/intelligence blogs such as DefenseOne and CyberBrief plus cybersecurity/intel information sites like Crowdstrike, FireEye and Palo Alto Networks, there is little doubt, due to the nature of the systems, that formerly sealed, or secret, criminal case documents and current case documents, have been accessed. Those documents could have revealed information about upcoming criminal charges against Russian hackers, potentially exposing titbits that could feed into a wider intelligence picture of how those people are identified. Infosec journalist Brian Krebs has reported that his conversations with U.S. Courts Administrative Office personnel (who preferred to be quoted as anonymous sources) said the court system, was “hit very, very hard”.
And just to state the obvious … all of this is very important because U.S. federal prosecutors and security agencies targeting state-backed hackers build their cases outside the public eye, under the cover of the court sealed case documents. In ordinary criminal cases this ensures criminals aren’t tipped off that they’re about to be arrested or searched, for example.
It reminds me of China’s attack in 2016 on the U.S. Office of Personnel Management, which grabbed the files of 23 million Federal employees. Intelligence analysts realized the Chinese could cross-reference/perform data analytics on the breached data and tell who is an intelligence officer, who travels where, when, who’s got financial difficulties, who’s got medical issues, etc. – cross-referencing that with the list of U.S. personnel assigned to the U.S. embassy/consulate in China per required U.S. State Department personnel filings in China. China did unmask agents and the U.S. government did pull-out personnel from China as a precaution. Fodder for another post.
The true depth of the breach will not be known for months, perhaps longer, something I will address in my “Beyond SolarWinds” cyber series. And as I have noted in previous posts, there are always different attack strategies at play. While the “surgical-strike-we-know-what-we-are-after” type attack is very rare, there’s a big pressure to extract metadata ASAP to enable your analysts to ID material to exfiltrate. It’s a trade-off between increased chance of detection if trying to exfiltrate petabytes, versus hanging around so long that they’re discovered via other means (ie., the discovery of the SolarWinds trojan). This must make for some interesting discussions at the coffee kiosk in whichever war rooms they have those debates.
Revert to paper? And printers? The wrong response. At the wrong time.
Yes, yes. I know. I remember. “Back to basics” was tried before. It was only seven years ago that the Russians reverted to typewriters after the NSA leaks. But let’s not forget about the hacked Selectric typewriters in U.S. Embassies.
And printers? Mixed bag. Most printers keep copies of documents on their hard drives. So there is the potential vulnerability if they print anything out. Yes, the cache of printers is limited and can be deleted or overwritten. Unless they’ve been hacked. And how many offices actually bother to set up the passwords on networked printers or auto “cache delete”? Well, you do if you have a very good sysadmin. You could be sending a copy of everything you print to anywhere. It’s how the Chinese hacked a U.S. law firm in Washington, DC three years ago from a Starbucks as two associates were taking a break but sending print requests back to their office.
NOTE: do not be surprised. It’s easy. As my cyber/pentest clients know, back in 2018 I was sitting in a Starbucks in Washington, DC with a “black hat” colleague and he showed how he could access (almost) everybody’s laptop sitting in that Starbucks. We got into a D.C. law firm via its printer system, using Wireshark. The law firm employee had VPN but we took advantage of “the gap” between start-up and connection. We communicated all of that information to the law firm.
And I should note hard drives in networked copiers like Xerox copiers so the potential for hackers who are already on the LAN extends a bit further than you might think. But let’s move on.
I am puzzled. Getting lawyers in sensitive cases to hand-deliver paper copies of sensitive documents to the Court makes perfect sense. But why should these sensitive documents then be hand-typed into a court computer at all? That simply makes no sense at all, since all it does is to make the electronic copy available to hackers, regardless of whether its online or not: never heard of USB memory sticks or SD cards in miscreant’s pockets?
The only proper place for a sensitive document that must not be accessed by unauthorised persons is locked in a fireproof safe. If somebody needs a copy of it, use a photocopier and verify that the copy is shredded as soon as it is no longer needed. Yeah, there are holes in that too, but I’m just riffing.
The big issue, the solution issue with the court systems is that the U.S. Government spends an obscene about of money on nonsense … more than any other country in the world. Yet, when it comes to spending on existing technology that could protect sensitive data, it opts for hand games. So the U.S. court system kills off electronic submission of legal documents out of concern that Russian hackers have compromised the filing system:
“In response to recent disclosures of wide-spread breaches of government computer systems, federal courts are immediately adding new security procedures to protect highly sensitive documents filed with the courts.”
These “new” security procedures take us back to the 1950’s and require a print out and hand-delivery.
Hello? Could someone ring up the Feds and let them know that the Russians already have thousands of highly sensitive non-public documents they are worried about, and will continue to roam around those systems for months.
Solution? There are at least 50 great cryptographic, encryption and quantum key solutions on the market today that could save all those trips to the isolated courthouse computer while safeguarding that data. All proven companies. I cannot name them all but just four that I know come to mind: QuintessenceLabs, ID Quantique, QNu Labs and ISARA Corporation.
But if you really, really, really want “security” then look at some of the local version software used by states. The systems (most of them) are written in Perl 5.x. The system uses some home brew DB access modules as well as somewhat of a framework, all written back in the mid to late 1990’s, all written in, you guessed it, Perl. The encryption routine was a C module that was easily hackable. The database is Informix. Yes, the UI and other functions are clunky at best, but apparently attorneys love it.
I mean, come on man. There are solutions. Surely you cannot be this obtuse, Federal Government. Oops. Just answered by own question.