Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack and Breach.

Total Financial Loss: The total financial loss from these incidents is estimated to be $115 million.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with secured its networks, and communication strategy with informed the impacted members about the breach, and incident response plan activated with yes, and containment measures with restricting access to sensitive documents, and remediation measures with implementing more rigorous procedures for document access, and and containment measures with stricter access controls, and remediation measures with enhancing security of the system, and recovery measures with working with courts to mitigate impact on litigants, and communication strategy with published statement, and and and and incident response plan activated with confirmed by administrative office of the us courts (august 5 disclosure), incident response plan activated with norwegian pst (domestic intelligence agency) investigation, and law enforcement notified with norwegian pst, law enforcement notified with us department of justice (implied, though no response confirmed), and communication strategy with public disclosure by us courts (august 5), communication strategy with statements by norwegian pst (via local media), and incident response plan activated with yes (partial; backup paper-filing activated), and law enforcement notified with likely (given federal nature, but not publicly confirmed), and containment measures with isolation of affected cm/ecf components, containment measures with transition to manual filings, and remediation measures with investigation into unpatched vulnerabilities, remediation measures with potential system overhaul (not yet confirmed), and communication strategy with limited public disclosures (via media leaks), communication strategy with no official federal statement as of august 2024, and enhanced monitoring with likely (but not detailed publicly), and law enforcement notified with likely (given federal judiciary involvement), and communication strategy with public disclosure via analysis (lawfare article), communication strategy with likely internal federal briefings, and enhanced monitoring with recommended as part of proposed 'coordinated security uplift', and incident response plan activated with yes (vague 'steps to improve cybersecurity' mentioned), and third party assistance with collaboration with congress, third party assistance with federal agencies (unspecified), and communication strategy with public statement on 2024-08-07 (limited details), communication strategy with no response to 2020 intrusion disclosure, and incident response plan activated with yes (fbi, doj, and international law enforcement), and third party assistance with u.k. national crime agency, third party assistance with west midlands police, third party assistance with city of london police, third party assistance with agencies in canada, romania, australia, and the netherlands, and law enforcement notified with yes (fbi, doj, u.k. authorities), and containment measures with seizure of servers and cryptocurrency wallets ($36m), containment measures with shutdown of scattered spider's telegram channel, and communication strategy with doj complaint unsealing, communication strategy with public statements by fbi/doj officials, communication strategy with media coverage of arrests..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Exploited vulnerabilities in CM/ECF system (US)Compromised dam control system credentials/access (Norway), Exploited unpatched vulnerabilities in CM/ECF system (2019-era flaws), unpatched vulnerabilities in case management system and Helpdesk password reset requests.

Average Financial Loss: The average financial loss per incident is $12.78 million.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Financial Information, Trade Secrets, Sales Figures, Contracts, Product Plans, , Confidential court documents, identities of confidential informants, Sensitive Case Documents, Identities Of Confidential Informants, , Sensitive Documents, Sealed Materials, , Sealed Legal Documents, Witness Identities, Court System Architectural Blueprints, Case Files (Including Those With Russian/Eastern European Surnames), , Legal Documents, Sealed Records, Personally Identifiable Information (Pii) Of Informants/Witnesses, Criminal Case Details, , Personally Identifiable Information (Pii) Of Witnesses, Criminal Investigation Details, Unclassified Judicial Records, , Sealed Court Records, National Security Documents, Criminal Investigative Files, , Personally Identifiable Information (Pii), Employment Records, Judicial Subpoenas, Customer Account Information and .

Incident Response Plan: The company's incident response plan is described as Yes, , , Confirmed by Administrative Office of the US Courts (August 5 disclosure), Norwegian PST (domestic intelligence agency) investigation, , Yes (partial; backup paper-filing activated), Yes (vague 'steps to improve cybersecurity' mentioned), Yes (FBI, DOJ, and international law enforcement).

Third-Party Assistance: The company involves third-party assistance in incident response through collaboration with Congress, federal agencies (unspecified), , U.K. National Crime Agency, West Midlands Police, City of London Police, Agencies in Canada, Romania, Australia, and the Netherlands, .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Implementing more rigorous procedures for document access, Enhancing security of the system, Investigation into unpatched vulnerabilities, Potential system overhaul (not yet confirmed), .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by secured its networks, , restricting access to sensitive documents, stricter access controls, isolation of affected cm/ecf components, transition to manual filings, , seizure of servers and cryptocurrency wallets ($36m), shutdown of scattered spider's telegram channel and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Working with courts to mitigate impact on litigants.

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Potential congressional hearings, Internal judicial reviews, , Sen. Wyden's call for independent review by National Academy of Sciences, , U.S. charges against Thalha Jubair (computer fraud, wire fraud, money laundering), Potential extradition from U.K., Up to 95 years in prison if convicted, .

Key Lessons Learned: The key lessons learned from past incidents are Legacy systems (e.g., Windows XP-era software) in critical infrastructure pose severe risks.,Nation-state actors exploit long-standing vulnerabilities for espionage and sabotage.,Industrial control systems (e.g., dams) are targets for demonstrative attacks.,Decentralized systems (e.g., 200+ local CM/ECF instances) complicate security.,Pro-Russian cyber activity is escalating in both stealth (US) and spectacle (Norway).Failure to patch known vulnerabilities leads to repeated breaches.,Federal systems require **real-time logging and forensic capabilities** to reconstruct attacks.,Transparency gaps undermine public trust in judicial cybersecurity.,State-sponsored threats demand **proactive threat hunting** in critical infrastructure.Reactive 'education-by-breach' approach is insufficient for modern threats.,Democratization of hacking tools lowers the barrier for sophisticated attacks.,Diverse threat actors (nation-states, cartels, criminals) require a unified defense strategy.,Centralized incident response and shared case studies could improve federal cybersecurity posture.,Offensive cyber operations alone cannot mitigate systemic vulnerabilities.Delayed adoption of phishing-resistant MFA creates critical vulnerabilities.,Lack of transparency with Congress/public exacerbates reputational damage.,Independent oversight may be necessary for federal judiciary cybersecurity.,Unpatched vulnerabilities (even years old) remain high-risk targets.Helpdesk authentication processes are critical targets for social engineering attacks.,Multi-factor authentication (MFA) is essential for administrative accounts.,Cryptocurrency transactions can be traced to identify threat actors.,Telegram and gaming platforms can serve as evidence sources in investigations.,Collaboration between international law enforcement agencies is vital for disrupting cybercriminal networks.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Mandatory **third-party audits** of court IT infrastructure., Enhanced **insider threat monitoring** for sensitive case files., Public disclosure protocols to improve transparency post-breach., Implementation of **zero-trust architecture** for federal judicial systems. and Immediate patching of all known vulnerabilities in CM/ECF..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: PoliticoDate Accessed: 2024-08-06, and Source: Politico, and Source: BleepingComputer, and Source: Politico, and Source: The RegisterUrl: https://www.theregister.com, and Source: New York TimesUrl: https://www.nytimes.com, and Source: Norwegian PST (via local media), and Source: PoliticoUrl: https://www.politico.com/news/2024/08/06/federal-courts-hack-russia-00172345Date Accessed: 2024-08-07, and Source: The New York TimesUrl: https://www.nytimes.com/2024/08/06/us/politics/federal-courts-hack-russia.htmlDate Accessed: 2024-08-07, and Source: Hunter Strategy (Jake Williams, former NSA hacker)Date Accessed: 2024-08-07, and Source: LawfareUrl: https://www.lawfareblog.com/drug-cartels-are-new-apts, and Source: Sen. Ron Wyden's letter to Chief Justice John RobertsDate Accessed: 2024-08-19, and Source: Administrative Office of the U.S. Courts public statementDate Accessed: 2024-08-07, and Source: 2020 House Judiciary Chair Jerrold Nadler disclosure (referenced by Wyden), and Source: U.S. Department of JusticeDate Accessed: 2024-07-18, and Source: FBI Statement (Brett Leatherman)Date Accessed: 2024-07-18, and Source: Westminster Magistrates Court Records (Thalha Jubair and Owen Flowers)Date Accessed: 2024-07-18.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Informed The Impacted Members About The Breach, Published statement, Public Disclosure By Us Courts (August 5), Statements By Norwegian Pst (Via Local Media), Limited Public Disclosures (Via Media Leaks), No Official Federal Statement As Of August 2024, Public Disclosure Via Analysis (Lawfare Article), Likely Internal Federal Briefings, Public Statement On 2024-08-07 (Limited Details), No Response To 2020 Intrusion Disclosure, Doj Complaint Unsealing, Public Statements By Fbi/Doj Officials and Media Coverage Of Arrests.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Us Legal Community Warned Of Potential Compromise Of Sealed Cases., Norwegian Critical Infrastructure Operators Advised To Audit Control Systems., Lawyers Using Cm/Ecf/Pacer Advised To Monitor For Unusual Activity., Norwegian Public Reassured That Dam Attack Caused No Lasting Damage But Demonstrated Vulnerability., , Judicial Conference Of The United States (Internal), Department Of Justice (Likely Involved), None Publicly Issued To Affected Individuals (E.G., Informants/Witnesses), , Federal Judiciary Branches, U.S. Department Of Justice, Congressional Oversight Committees, Law Enforcement Agencies Involved In Affected Cases, Legal Professionals Using Cm/Ecf And Pacer, Witnesses And Individuals Involved In Compromised Cases, , Doj And Fbi Warnings About Scattered Spider Tactics and Advisories To Critical Infrastructure Sectors.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Likely (but not detailed publicly), Recommended As Part Of Proposed 'Coordinated Security Uplift', , Collaboration With Congress, Federal Agencies (Unspecified), , U.K. National Crime Agency, West Midlands Police, City Of London Police, Agencies In Canada, Romania, Australia, And The Netherlands, .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Implementing secure stand-alone computer systems for sensitive documents, Strengthening cybersecurity measures, Emergency Vulnerability Assessments Across All Federal Court Systems., Deployment Of **Endpoint Detection And Response (Edr)** Tools., Reevaluation Of **Third-Party Vendor Security** For Cm/Ecf., Development Of A **Federal Judicial Cybersecurity Task Force**., , Proposed 'Coordinated Security Uplift' For Federal Agencies, Development Of Shared Incident Case Studies, Enhanced Monitoring For Prolonged Intrusions, Reevaluation Of Offensive Cyber Operations’ Role In Defense, Improved Collaboration Between Judicial, Law Enforcement, And Intelligence Agencies, , Doj/Fbi Disruption Of Scattered Spider Operations (Server Seizures, Arrests), Heightened Scrutiny Of Helpdesk Processes In Federal Agencies, International Law Enforcement Collaboration To Track Cryptocurrency And Threat Actors, .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was ['$25 million (one victim)', '$36.2 million (another victim)', 'Total: $115 million across all victims'].

Last Attacking Group: The attacking group in the last incident were an Nation-state actors (suspected), Russian State-Sponsored Actors (suspected)Kremlin-Aligned Cyber Groups, Allegedly linked to Russia (unconfirmed)State-sponsored actors (suspected), Latin American Drug Cartels (potential weaponization of data)Multiple Nation-StatesVarious Criminal Groups, Alleged Russian hackers (same group linked to a prior 2020 intrusion), Scattered SpiderThalha Jubair (19, U.K. national)Owen Flowers (18 and U.K. national)Unnamed U.S.-based co-conspirator.

Most Recent Incident Detected: The most recent incident detected was on 2025-07-04.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-07-18.

Highest Financial Loss: The highest financial loss from an incident was $115 million (ransom payments).

Most Significant Data Compromised: The most significant data compromised in an incident were financial information, trade secrets, sales figures, contracts, product plans, , Confidential court documents, identities of confidential informants, sensitive case documents, identities of confidential informants, , sensitive documents, potential exposure of confidential informant identities, , Sealed court documents, Witness identities, US court system blueprints, Midlevel criminal case files (NYC and other jurisdictions), , Sealed court records, Confidential informant identities, Cooperating witness identities, Criminal dockets, Arrest warrants, Sealed indictments, , Witness identities, Details of ongoing criminal investigations, Sensitive unclassified judicial records, , sealed case data, potential national security documents, criminal charging/investigative documents, , Personnel data (names, usernames, telephone numbers), Federal judge subpoenas, Thousands of names, titles, and work locations of U.S. Courts users, Customer account information (requested via financial services provider) and .

Most Significant System Affected: The most significant system affected in an incident were CM/ECFPACER and Public Access to Court Electronic Records (PACER) and US Courts' CM/ECF (Case Management/Electronic Case Files) systemPACER (Public Access to Court Electronic Records)Bremanger Dam Control Systems (Norway) and Case Management/Electronic Case Files (CM/ECF) systemBackup paper-filing systems (activated as contingency) and Case Management/Electronic Case Files (CM/ECF)Public Access to Court Electronic Records (PACER) and federal district court case management system and U.S. Federal Court NetworkSeven victim companies (unnamed)Transport for London (2023)47 U.S. entitiesCompanies in insurance, retail, and aviation industries.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was collaboration with congress, federal agencies (unspecified), , u.k. national crime agency, west midlands police, city of london police, agencies in canada, romania, australia, and the netherlands, .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were secured its networks, Restricting access to sensitive documents, Stricter access controls, Isolation of affected CM/ECF componentsTransition to manual filings and Seizure of servers and cryptocurrency wallets ($36M)Shutdown of Scattered Spider's Telegram channel.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were sales figures, contracts, US court system blueprints, criminal charging/investigative documents, Personnel data (names, usernames, telephone numbers), potential exposure of confidential informant identities, Sealed court documents, Arrest warrants, Sealed court records, Sensitive unclassified judicial records, Federal judge subpoenas, Confidential court documents, identities of confidential informants, product plans, Sealed indictments, Details of ongoing criminal investigations, financial information, Midlevel criminal case files (NYC and other jurisdictions), Thousands of names, titles, and work locations of U.S. Courts users, identities of confidential informants, Confidential informant identities, sealed case data, potential national security documents, Witness identities, Criminal dockets, trade secrets, Customer account information (requested via financial services provider), sensitive documents, sensitive case documents and Cooperating witness identities.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 0.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was ['$25 million (one victim)', '$36.2 million (another victim)', 'Total: $115 million across all victims'].

Highest Ransom Paid: The highest ransom paid in a ransomware incident was $115 million (total across all victims).

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Potential congressional hearings, Internal judicial reviews, , Sen. Wyden's call for independent review by National Academy of Sciences, , U.S. charges against Thalha Jubair (computer fraud, wire fraud, money laundering), Potential extradition from U.K., Up to 95 years in prison if convicted, .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Collaboration between international law enforcement agencies is vital for disrupting cybercriminal networks.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Public-private partnerships to share threat intelligence on Kremlin-aligned actors., International cooperation on attributing and deterring state-sponsored cyber operations., Mandate phishing-resistant multifactor authentication across all federal court systems., Address the root causes of systemic vulnerabilities in federal IT infrastructure., Accelerate patch management for critical vulnerabilities in case management systems., Implement stricter identity verification for helpdesk password resets (e.g., MFA, challenge questions)., Monitor administrative accounts for unusual activity (e.g., sudden data access or exfiltration)., Disclose details of the 2020 intrusion and other past breaches to restore accountability., Coordinate with law enforcement proactively to share threat intelligence., Conduct an independent cybersecurity audit (e.g., by National Academy of Sciences)., Consolidation of fragmented IT systems (e.g., US courts' local instances) to reduce attack surface., Mandatory multi-factor authentication for sensitive legal and infrastructure systems., Enhance monitoring and detection capabilities for prolonged intrusions., Enhance logging and monitoring of critical systems to detect unauthorized access., Mandatory **third-party audits** of court IT infrastructure., Implement mandatory cybersecurity requirements for the judiciary (currently voluntary)., Implementation of **zero-trust architecture** for federal judicial systems., Develop and share incident case studies to proactively address threats., Implement a 'coordinated security uplift' across federal agencies., Segment networks to limit lateral movement by attackers., Enhanced **insider threat monitoring** for sensitive case files., Immediate patching of all known vulnerabilities in CM/ECF., Replace PACER with a more cyber-secure system, Public disclosure protocols to improve transparency post-breach., Move beyond reactive measures to predictive, intelligence-driven cybersecurity., Train employees on recognizing social engineering tactics, especially for helpdesk staff., Immediate patching of legacy systems in judicial and critical infrastructure sectors., Conduct regular audits of third-party vendors and service providers for security vulnerabilities., Enhanced monitoring of industrial control systems for anomalous behavior (e.g. and dam valve changes)..

Most Recent Source: The most recent source of information about an incident are BleepingComputer, Administrative Office of the U.S. Courts public statement, Westminster Magistrates Court Records (Thalha Jubair and Owen Flowers), Sen. Ron Wyden's letter to Chief Justice John Roberts, Lawfare, The Register, The New York Times, Norwegian PST (via local media), 2020 House Judiciary Chair Jerrold Nadler disclosure (referenced by Wyden), FBI Statement (Brett Leatherman), Politico, New York Times, Hunter Strategy (Jake Williams, former NSA hacker) and U.S. Department of Justice.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.theregister.com, https://www.nytimes.com, https://www.politico.com/news/2024/08/06/federal-courts-hack-russia-00172345, https://www.nytimes.com/2024/08/06/us/politics/federal-courts-hack-russia.html, https://www.lawfareblog.com/drug-cartels-are-new-apts .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was US legal community warned of potential compromise of sealed cases., Norwegian critical infrastructure operators advised to audit control systems., Judicial Conference of the United States (internal), Department of Justice (likely involved), Federal judiciary branches, U.S. Department of Justice, Congressional oversight committees, Law enforcement agencies involved in affected cases, DOJ and FBI warnings about Scattered Spider tactics, Advisories to critical infrastructure sectors, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Lawyers using CM/ECF/PACER advised to monitor for unusual activity.Norwegian public reassured that dam attack caused no lasting damage but demonstrated vulnerability., None publicly issued to affected individuals (e.g., informants/witnesses) and Legal professionals using CM/ECF and PACERWitnesses and individuals involved in compromised cases.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Exploited unpatched vulnerabilities in CM/ECF system (2019-era flaws) and Helpdesk password reset requests.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Years-long (US court system)Unspecified (Norway, but part of a 'change in activity over the past year'), Unknown (potentially years, given 2020 breach history), Potentially extended (some actors maintained access for prolonged periods), Potentially years (hackers may have 'lurked in systems for years'), Ongoing since at least May 2022.

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Outdated and unpatched software (US court systems).Lack of segmentation in critical infrastructure networks (Norway).Insufficient monitoring of anomalous access patterns (both incidents).Geopolitical tensions enabling state-sponsored cyber operations., Failure to remediate known vulnerabilities (since 2019).Insufficient logging for attack reconstruction.Lack of **defense-in-depth** strategies for critical judicial systems.Potential **supply chain risks** in CM/ECF software., Systemic vulnerabilities in federal cybersecurity infrastructureLack of centralized incident response coordinationInsufficient proactive threat detectionOver-reliance on reactive measures ('education-by-breach')Underestimation of non-state actors (e.g., drug cartels) as cyber threats, Failure to patch known vulnerabilities for ~5 years.Inadequate multifactor authentication (non-phishing-resistant).Lack of mandatory cybersecurity requirements for the judiciary.Culture of secrecy/cover-up (e.g., undisclosed 2020 breach).Slow response to escalating threats (e.g., 2020 and 2024 intrusions by same actors)., Inadequate authentication for helpdesk password resetsLack of MFA for administrative accountsInsufficient monitoring of privileged account activityHuman error (falling for social engineering).

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Implementing secure stand-alone computer systems for sensitive documents, Strengthening cybersecurity measures, Emergency vulnerability assessments across all federal court systems.Deployment of **endpoint detection and response (EDR)** tools.Reevaluation of **third-party vendor security** for CM/ECF.Development of a **federal judicial cybersecurity task force**., Proposed 'coordinated security uplift' for federal agenciesDevelopment of shared incident case studiesEnhanced monitoring for prolonged intrusionsReevaluation of offensive cyber operations’ role in defenseImproved collaboration between judicial, law enforcement, and intelligence agencies, DOJ/FBI disruption of Scattered Spider operations (server seizures, arrests)Heightened scrutiny of helpdesk processes in federal agenciesInternational law enforcement collaboration to track cryptocurrency and threat actors.