Russian state-backed attackers exploited long-unpatched vulnerabilities (since 2020) in the **CM/ECF/PACER** system—a fragmented, outdated digital filing platform used by U.S. federal courts—to exfiltrate **sealed legal documents, witness identities, and the court system’s internal blueprints**. The breach, part of a **multi-year espionage campaign**, targeted mid-level criminal cases, particularly those involving individuals with Russian/Eastern European surnames. The attackers leveraged the system’s **decentralized, legacy infrastructure** (some components dating to the Windows XP era) to maintain persistent access, compromising sensitive judicial data. While no immediate operational disruption was reported, the intrusion exposed systemic vulnerabilities in critical legal infrastructure, risking **long-term intelligence exploitation, witness endangerment, and erosion of judicial confidentiality**. The attack underscores the **strategic targeting of high-value, poorly secured government systems** by adversarial nation-states.
Source: https://www.theregister.com/2025/08/14/law_and_water_russia_blamed/
TPRM report: https://www.rankiteo.com/company/administrative-office-of-the-united-states-courts
"id": "adm740081425",
"linkid": "administrative-office-of-the-united-states-courts",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': ['Lawyers',
'Court personnel',
'Individuals involved in sealed '
'cases (particularly those with '
'Russian/Eastern European '
'surnames)'],
'industry': 'Judicial/Legal',
'location': 'United States',
'name': 'Administrative Office of the United States '
'Courts',
'type': 'Government Agency'},
{'customers_affected': ['Local population downstream of '
'the dam',
'Norwegian water management '
'authorities'],
'industry': 'Energy/Water Management',
'location': 'Bremanger, Norway',
'name': 'Bremanger Dam',
'type': 'Critical Infrastructure'}],
'attack_vector': ['Exploitation of Unpatched Vulnerabilities (since 2020)',
'Compromised Credentials (implied for court system)',
'Remote Access to Industrial Control Systems (dam)'],
'customer_advisories': ['Lawyers using CM/ECF/PACER advised to monitor for '
'unusual activity.',
'Norwegian public reassured that dam attack caused no '
'lasting damage but demonstrated vulnerability.'],
'data_breach': {'data_exfiltration': ['Confirmed (US court documents)',
'Unspecified for Norwegian dam (though '
'control was seized)'],
'file_types_exposed': ['PDF (legal documents)',
'Database records (case files)',
'System diagrams (blueprints)'],
'personally_identifiable_information': ['Witness identities',
'Names/details from '
'criminal cases'],
'sensitivity_of_data': ['High (sealed indictments, witness '
'protection details, system '
'blueprints)'],
'type_of_data_compromised': ['Sealed legal documents',
'Witness identities',
'Court system architectural '
'blueprints',
'Case files (including those '
'with Russian/Eastern European '
'surnames)']},
'date_publicly_disclosed': '2024-08-05',
'description': "Russian-linked attackers compromised the US federal court's "
'outdated CM/ECF case-management system, exfiltrating sealed '
'documents, witness identities, and system blueprints over a '
'years-long campaign. Concurrently, suspected Russian cyber '
'operators seized control of a Norwegian dam (Bremanger) for '
'four hours, releasing 500 liters of water per second in a '
'demonstrative attack aimed at instilling fear. Both incidents '
'highlight vulnerabilities in critical Western infrastructure, '
'with US and Norwegian authorities attributing the attacks to '
'Kremlin-aligned actors.',
'impact': {'brand_reputation_impact': ['Erosion of public trust in US federal '
'court system security',
'Perception of vulnerability in '
'Norwegian critical infrastructure'],
'data_compromised': ['Sealed court documents',
'Witness identities',
'US court system blueprints',
'Midlevel criminal case files (NYC and other '
'jurisdictions)'],
'downtime': ['4 hours (Bremanger dam valves held open)'],
'identity_theft_risk': ['High (witness identities exposed)'],
'legal_liabilities': ['Potential violations of confidentiality for '
'sealed court cases',
'Risk of compromised legal proceedings'],
'operational_impact': ['Disruption of dam operations (Norway)',
'Potential compromise of legal proceedings '
'(US)',
'Loss of control over sensitive case '
'materials'],
'systems_affected': ["US Courts' CM/ECF (Case "
'Management/Electronic Case Files) system',
'PACER (Public Access to Court Electronic '
'Records)',
'Bremanger Dam Control Systems (Norway)']},
'initial_access_broker': {'entry_point': ['Exploited vulnerabilities in '
'CM/ECF system (US)',
'Compromised dam control system '
'credentials/access (Norway)'],
'high_value_targets': ['Sealed indictments (US)',
'Witness identities (US)',
'Dam control mechanisms '
'(Norway)'],
'reconnaissance_period': ['Years-long (US court '
'system)',
'Unspecified (Norway, but '
"part of a 'change in "
'activity over the past '
"year')"]},
'investigation_status': ['Ongoing (US Department of Justice)',
'Active (Norwegian PST)'],
'lessons_learned': ['Legacy systems (e.g., Windows XP-era software) in '
'critical infrastructure pose severe risks.',
'Nation-state actors exploit long-standing '
'vulnerabilities for espionage and sabotage.',
'Industrial control systems (e.g., dams) are targets for '
'demonstrative attacks.',
'Decentralized systems (e.g., 200+ local CM/ECF '
'instances) complicate security.',
'Pro-Russian cyber activity is escalating in both stealth '
'(US) and spectacle (Norway).'],
'motivation': ['Espionage (US court documents, particularly cases involving '
'Russian/Eastern European surnames)',
'Demonstration of Capability (Norwegian dam attack to instill '
'fear)',
'Geopolitical Signaling'],
'post_incident_analysis': {'root_causes': ['Outdated and unpatched software '
'(US court systems).',
'Lack of segmentation in critical '
'infrastructure networks (Norway).',
'Insufficient monitoring of '
'anomalous access patterns (both '
'incidents).',
'Geopolitical tensions enabling '
'state-sponsored cyber '
'operations.']},
'ransomware': {'data_exfiltration': ['Yes (US court system)']},
'recommendations': ['Immediate patching of legacy systems in judicial and '
'critical infrastructure sectors.',
"Consolidation of fragmented IT systems (e.g., US courts' "
'local instances) to reduce attack surface.',
'Enhanced monitoring of industrial control systems for '
'anomalous behavior (e.g., dam valve changes).',
'Mandatory multi-factor authentication for sensitive '
'legal and infrastructure systems.',
'International cooperation on attributing and deterring '
'state-sponsored cyber operations.',
'Public-private partnerships to share threat intelligence '
'on Kremlin-aligned actors.'],
'references': [{'source': 'The Register',
'url': 'https://www.theregister.com'},
{'source': 'New York Times', 'url': 'https://www.nytimes.com'},
{'source': 'Norwegian PST (via local media)'}],
'regulatory_compliance': {'regulations_violated': ['Potential violations of '
'US federal rules on '
'sealed court documents '
'(e.g., Federal Rule of '
'Criminal Procedure 6(e) '
'for grand jury secrecy)',
'Norwegian critical '
'infrastructure protection '
'laws'],
'regulatory_notifications': ['Disclosure to US '
'Congress/oversight '
'bodies (implied)',
'Norwegian government '
'notifications']},
'response': {'communication_strategy': ['Public disclosure by US Courts '
'(August 5)',
'Statements by Norwegian PST (via '
'local media)'],
'incident_response_plan_activated': ['Confirmed by '
'Administrative Office of '
'the US Courts (August 5 '
'disclosure)',
'Norwegian PST (domestic '
'intelligence agency) '
'investigation'],
'law_enforcement_notified': ['Norwegian PST',
'US Department of Justice (implied, '
'though no response confirmed)']},
'stakeholder_advisories': ['US legal community warned of potential compromise '
'of sealed cases.',
'Norwegian critical infrastructure operators '
'advised to audit control systems.'],
'threat_actor': ['Russian State-Sponsored Actors (suspected)',
'Kremlin-Aligned Cyber Groups'],
'title': 'Transatlantic Cyberattacks on US Federal Court System and Norwegian '
'Dam by Russian Actors',
'type': ['Cyber Espionage',
'Critical Infrastructure Sabotage',
'Data Breach',
'Unauthorized System Access'],
'vulnerability_exploited': ['Legacy System Vulnerabilities (CM/ECF/PACER '
'platforms, some running on outdated Windows '
'XP-era software)',
'Unspecified bugs in dam control systems']}