US courts system fears SolarWinds snafu could have let state hackers poke about in sealed case documents
Problems for charging spies in future? Probably not, says ex-NCSC chief
The SolarWinds hack exposed sealed US court documents – which could have a serious effect on Western sanctions against state-backed hackers.
As well as the well-publicised effects on FireEye and Microsoft, the downstream impact of the SolarWinds supply chain attack also struck the American federal court system. Aside from the obvious embarrassment and embuggerance that caused, it also may have revealed several formerly sealed, or secret, criminal case documents.
Those documents could have revealed information about upcoming criminal charges against Russian hackers, potentially exposing titbits that could feed into a wider intelligence picture of how those people are identified.
Infosec journalist Brian Krebs reported a US Courts Administrative Office statement about the impact of the Russian-backed SolarWinds hack, quoting an anonymous source as saying that the agency was "hit hard".
Referring to the US federal courts' Case Management/Electronic Case Files system (CM/ECF), the body said in a statement that the SolarWinds hack had risked "compromising highly sensitive non-public documents stored on CM/ECF, particularly sealed filings," adding: "An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation."
That's important because US federal prosecutors and security agencies targeting state-backed hackers build their cases outside the public eye, under the cover of the court sealed case documents. In ordinary criminal cases this ensures crims aren't tipped off that they're about to be arrested or searched, for example.
Ciaran Martin, former head of Britain's National Cyber Security Centre, was cautious about the impact of the apparent compromise, warning that just because Russia touched the CM/ECF system didn't automatically mean documents had been stolen.
JetBrains' build automation software eyed as possible enabler of SolarWinds hackREAD MORE
"Don't jump to conclusions just because a particular customer of SolarWinds was targeted," he told The Register. "That implies very specific consequences. Also, don't assume that just because a specific SolarWinds customer has been targeted that anything other than espionage will have occurred."
Martin, now professor of practice in the management of public organisations at the University of Oxford, explained that a lot of state-sponsored hacking work consists in essence of picking the lock, opening the door, and then trying to figure out what you've just found. This contrasts with the popular view that fiendish adversaries pick their targets with ruthless precision and then execute a surgical cyber-strike to get what they're after.
"It's always possible that a compromise could lead to work on attribution or indictments but there are a lot of steps to take before arriving confidently at a conclusion," he added.
Over the past few years the US Department of Justice has adopted a policy of announcing domestic criminal charges against other countries' hackers, mostly (but not always) resulting in the names of individual Russians becoming known in the West.
While nobody really expects criminal charges against SVR (Russian Foreign Intelligence Service) hackers to result in a court trial on American soil, charging individuals serves two main purposes: it ensures they can never safely travel to (or through) a country that has a US extradition treaty; and it signals to non-aligned states what Western cyber-norms are.
Unfortunately, despite how it might look, the policy of attribution and charging has no real deterrent effect on countries that try to hack the West. ®