Ride the Lightning

When Cybercriminals Attack Our Courts: What Happens Then?

December 13, 2022

GovTech Today posted on December 7, reporting on the cyberattacks that have hit state courts in Alaska, Georgia and Texas in recent year.

Courts leaders and CIOs at the National Center for State Courts eCourt conference shared what happened and lessons they have learned.

Alaska’s attack left its courts a month without Internet and four months without connection to the executive branch.

In May 2020, a ransomware attack hit Texas courts in the early morning hours, while IT staff were asleep. It affected servers at each of the state’s two high courts and at its 14 intermediate appellate courts, explained Casey Kennedy, CIO for Texas’ Office of Court Administration.

Hackers likely used a phishing campaign to take over a regular user email account, then used a zero-day exploit to grant the account administrator-level privileges. From there, they moved laterally to find a richer target.

“We could watch them jump from server to server until they found our domain controller … the machine that stores all your usernames and all your passwords,” Kennedy said.

Attackers then attempted to introduce a variety of viruses, but the anti-virus thwarted most attempts — until perpetrators switched to a more subtle attack.

They opened the Notepad application and suspended the application from memory to stop it running. They next wrote a virus into Notepad in memory and then unsuspended it, Kennedy said. This tricked the system into thinking it was just running a legitimate program — Notepad — when in truth it was now running a virus. Perpetrators were able to then deploy the virus throughout computers on the network.

The disaster had an upside though. Following a cyber incident, the non-IT sides of government tend to become newly receptive to cybersecurity proposals and forego complaining about defense measures causing frictions. That mindset lasts about six months, Kennedy said, and is an opportunity to push through policies like strong password requirements, mandatory multifactor authentication (MFA) and automatic installations of new software updates.

Improving password policies became important for Alaska, too, after its own incident hit in 2021.

“Eighty-six percent of our passwords were hacked in less than four hours,” Alaska State Court Administrator Stacey Marz recalled. “We [had] a lot of repetitive passwords like ‘Alaska123.’”

The Alaska cyberattack presented a particularly challenging problem for a court system that had relied on outsourcing key security services.

In April, cybersecurity software detected unusual activity. An external cybersecurity consultant concluded it was the lead-up to an “imminent” ransomware attack, Marz said.

The court needed to cut external Internet access to prevent the attack from progressing and knew any delay gave hackers more chances to encrypt. At the same time, the cyber specialist was located “four time zones away” and needed remote access to review logs and put tracing software inside the networks to better understand the attack and extent of the damage.

Theoretically, the court’s firewalls could be reconfigured to deny everyone except the consultant, but no one in-house had the firewall expertise to do this.

“You have to really think about the vendors you’re working with,” Marz said. “We had outsourced our firewall roles, and that was a major problem for us.”

Marz determined a deadline when she’d cut connection, no matter what. Finally, with two hours to spare and with the help of the consultant, the team figured out the needed firewall configurations. Whew!

Alaska took its court system offline as work continued to ensure the perpetrators were fully removed from the network, then to rebuild systems, bolster security and restore from backups.

The courts had to proceed without Internet for about a month, which stopped everything from e-filing and online bail postings to Zoom hearings and digital payroll systems. As staff reverted to manual processes, they turned to conducting remote hearings by phone and using physical drop boxes and old fax machines.

“We broke out the fax machines,” Marz said. “Months earlier I had said … why do we have these things anymore? And, luckily, we hadn’t thrown them out yet.”

While the court worked to communicate strongly internally, Marz said courts should decide in advance how much they’re willing to share with the public, given that threat actors might be listening. It’s a matter over which opinions vary, and Marz favors avoiding public disclosure about the threat actor’s identity and motives, the exact malware used and the specific method through which victims’ systems were penetrated, the costs of the attack and whether the victim has cyber insurance.

Alaska courts revised their approach in the aftermath, including training staff to bring certain skills in-house; planning backup, alternative methods to Internet-based functions; and modernizing unpatched legacy systems that had stayed around due to budget constraints and because the tools were helpful to business functions even if they weren’t secure.

Georgia too used a ransomware attack as an opportunity to modernize. When a June 2019 incident downed services, the court decided to bypass restoring legacy systems and instead rebuild in the cloud to bolster future resilience, said Jorge Basto, CIO of the Cherokee County Clerk of Courts and former CIO for the state Administrative Office of the Courts.

When the incident downed Georgia courts’ websites and servers, the court turned to partners like the National Guard and FBI for help. But there came a point where the court needed to take charge and reassert its own priorities over those of its partners. While law enforcement was focused on investigating the incident, Georgia wanted to focus onto getting back online.

“We have 50, 60 people running around this office — everybody’s helping, everybody’s doing something,” Basto said. “But guess what? They’re looking for bad guys … meanwhile, my network’s not coming back … [The FBI,] they’re not just there using up your resources, they’re taking your people, your focus.”

The court team began recovering copies of its data from vendors and other agencies. As they worked to restore services, the court’s main, public-facing website was a high priority. That site would be a first stop for residents hearing about the incident and trying to find out more. If the website was down, people might panic, Basto said.

Basto said the question today isn’t if or when you’ll be hit by a cyberattack but how bad the damage will be. Has your planning made you more resilient?

A variety of measures can also help reduce the chances and severity of attacks, with Kennedy recommending layered defenses, network segmentation, mock phishing campaigns to raise staff’s alertness and moving toward zero trust.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson