Federal judiciary cyber breach: How SolarWinds and Legacy Systems left US courts exposed

The US federal judiciary has suffered multiple hacks targeting its Case Management/Electronic Case Files (CM/ECF) and Public Access to Court Electronic Records (PACER) systems in recent years. 

In 2020 alone, three nation-state threat actors gained access to these systems, an incident tied to the Solarwinds Orion incident disclosed in January 2021, and a more recent breach disclosed in August 2025 also granted access to highly sensitive court documents.

In this edition of our Attack Anatomy series, we’ll take a closer look at the details of both of these hacks. Let’s get into it. 

*Note: Due to the nature of the incident and associated national security concerns, limited details are available regarding the 2025 breach. However, various reports offer hints that we can use to put together a picture of what might have happened.

TL;DR

• What happened: Multiple intrusions into US federal judiciary systems (CM/ECF and PACER) in 2020 and 2025, including a confirmed SolarWinds Orion supply-chain compromise and a later exploitation of long-known vulnerabilities.

• Who was affected: At least eight US district courts; judiciary-wide systems handling sensitive but unclassified court data.

• Confirmed attacker techniques: Supply chain compromise (T1195.002), user execution of trojanized software (T1204.002), fileless malware (T1027.001), valid account abuse (T1078), exploitation of public-facing applications (T1190).

• Why it matters: Judicial systems contain sensitive legal and investigative data and have historically lagged in MFA adoption and vulnerability remediation.

• Defensive takeaway: Detection gaps around identity misuse, legacy systems, and supply-chain trust enabled long-term access.

Inside the Attacks

While the federal judiciary’s CM/EMF systems share a name, they’re actually an array of independent systems with varying levels of security. Each federal court operates its own instance of the CM/EMF, each of which has unique configurations, rules, and incident detection and response tools and strategies in place.

Additionally, courts are at different stages of migrating between CurrentGen and NextGen versions and have varying levels of adoption of critical security controls. For example, the use of multi-factor authentication (MFA) only became required across the board in 2025.

The 2020 Incidents

The federal judiciary was targeted in two separate cyberattacks in 2020. Early in the year, the judiciary was compromised by three different nation-state actors. This incident was only publicly disclosed in 2022 in a committee oversight hearing for the Justice Department’s National Security Division (NSD). 

Details of this incident are limited, with US Sen. Ron Wyden of Oregon stating that he can’t provide more details regarding the incident without “running afoul of the classification system.” 

However, the same lack of public details doesn’t apply for another breach later that year. The US judiciary was caught up in the Solarwinds Orion hack, which is attributed to Russia.

The Solarwinds hack involved the deployment of a malicious update to the company’s Orion network monitoring software. The attackers gained access to the company’s development environment via a complex attack chain. With this access, they could insert malicious functionality into the product that essentially converted it into a remote access trojan (RAT).

For this incident, the attack chain looked something like this:

• Supply chain compromise: The Solarwinds Orion incident was an example of a supply chain attack (MITRE ATT&CK Supply Chain Compromise: Compromise Software Supply Chain). The US federal judiciary — and many other companies and government departments — were targeted through their connection with SolarWinds.

• User execution: The attacker’s custom malware was disguised as part of a legitimate, digitally signed update to the Solarwinds Orion software (MITRE ATT&CK Develop Capabilities: Malware). As a result, someone within the targets’ IT departments executed the software to perform the update, resulting in the malicious code being deployed on their systems (MITRE ATT&C User Execution: Malicious File).

• Teardrop deployment: The initial malware developed and deployed by the Solarwinds attackers was codenamed Sunburst. The federal judiciary was also infected by a second-stage malware called Teardrop, indicating that the attackers had a special interest in the judiciary and wanted additional access to its network and systems. Teardrop is designed to offer extended, subtle backdoor access to infected systems, operating as fileless malware (MITRE ATT&CK Obfuscated Files or Information: Fileless Storage) with various persistence and anti-defense mechanisms built in.

• Data collection and exfiltration: In the 2020 breaches, the judiciary acknowledged that the attackers had accessed “highly sensitive and non-public documents”. While CM/EMF systems don’t store classified data, a range of other sensitive information about court cases is stored on them, such as details of court-ordered phone taps or email discovery.

The malicious functionality added to the Solarwinds Orion updates granted attackers deep access to infected systems and the ability to expand their footholds within compromised networks. 

The fact that the judiciary was also infected by Teardrop and comments that the Justice Department was “hit hard” by the attack indicate that the group behind the incident likely used a range of tools and techniques beyond those included in public reporting.

For example, the Administrator’s Office of the US Courts (AO) implemented several new security controls in response to the Solarwinds incident, including: 

• The implementation of a Zero Trust architecture

• Expansion of multi-factor authentication

• Limiting or eliminating the use of personally-owned devices to access non-public Judiciary networks and systems

This combination suggests that attackers may have compromised legitimate user accounts (MITRE ATT&CK Valid Accounts) and personally-owned devices connected to Judiciary systems (MITRE ATT&CK External Remote Services), using these systems to expand their access and move laterally through Judiciary networks.

The 2025 federal judiciary Hack

In 2025, the US federal judiciary was the target of its third hack in five years, affecting at least eight district courts. Details of this incident are—of course—extremely limited due to national security concerns. 

That said, public comments on the breach provide hints about what may have happened.

The first of these is the fact that the incident involved the exploitation of “unresolved vulnerabilities that were discovered five years ago,” according to a letter from Sen. Wyden. The software used by the judiciary, including the CM/EMF systems, has been known for years to be “outdated, unsustainable due to cyber risks, and [requiring] replacement.”

These statements make it likely that both the hacks that occurred in early 2020 and 2025 involved the exploitation of vulnerabilities within these systems. Since PACER acts as a frontend offering public access to CM/EMF data, it’s possible that vulnerabilities present in PACER permitted the attackers to gain deeper access to judiciary systems and sensitive, non-public data (MITRE ATT&CK Exploit Public-Facing Application).

Impact of the judiciary attacks

The fact that the judiciary’s CM/EMF and PACER systems have been targeted and exploited by multiple threat actors over the years underscores the importance of the information that they contain. While classified information isn’t stored on these systems and much of the CM/EMF data is public through PACER, there is still a great deal of sensitive, non-public data in CM/EMF.

Information such as phone taps and subpoenaed emails have the potential to create national security concerns. Allegedly, attackers also used their access to modify court dockets as part of the early 2020 hack of the system.

So what’s next?

The US federal judiciary hacks demonstrate the importance of learning from past incidents and proactively implementing a culture of continuous improvement within security programs. 

The fact that the 2025 hack involved vulnerabilities exposed five years previously and that the MFA finally mandated in 2025 isn’t phishing-resistant shows that lagging security programs leave gaps for attackers to exploit.

Exploring past campaigns and common attack chains from both the offensive and defensive perspectives enables organizations to design and implement defenses that work for them and close off security gaps before they can be exploited. Hack The Box can help with that—and more.