Russian Hackers Lurked in US Courts for Years, Took Sealed Files

Russian government hackers lurked in the records system of the US courts for years and stole sensitive documents that judges had ordered sealed from public view, according to two people familiar with the matter and a report seen by Bloomberg News.

The attackers had access to what was supposed to be protected information for multiple years, the report on the breach shows. They gained access by exploiting stolen user credentials and a cybersecurity vulnerability in an outdated server used by the federal judiciary, according to the report, which says the hackers specifically searched for sealed records.

The report, which was reviewed in part by Bloomberg, doesn’t identify the attackers. But investigators found evidence that they were a Russian state-sponsored hacking group, according to the people, who spoke on condition that they not be named because they were not authorized to discuss the matter.

It’s unclear exactly when the hackers first penetrated the system and when the courts became aware of the breach. Last fall, the judiciary hired a cybersecurity firm to help address it, said one of the people.

The attackers’ years of access to sealed court records, which hasn’t been previously reported, is likely to prompt concerns about how many sensitive cases and investigations may have been compromised. It also raises questions about when the judiciary became aware of the breach and how it responded.

Peter Kaplan, a spokesperson for the Administrative Office of the US Courts, declined to comment. The judiciary said in a statement last week that it is taking “additional steps to strengthen protections for sensitive case documents in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system.”

The Russian Embassy in Washington didn’t respond to an email seeking comment. A Department of Justice spokesperson, Shannon Shevlin, said the agency isn’t able to discuss ongoing investigations.

Read More: Foreign Hackers Said to Access Sealed National Security Cases

The breach is coming to public light as US President Donald Trump is set to meet with his Russian counterpart, Vladimir Putin, to discuss ending Russia’s war in Ukraine. Asked whether he would raise the hack with Putin this week, Trump said he had heard about the breach and could do so. “That’s what they do. They’re good at it. We’re good at it. We’re actually better at it,” the president said.

The intrusion was previously reported by Politico, while the New York Times earlier reported that Russia was at least in part behind the cyberattack.

The hackers targeted sealed documents in espionage and other sensitive cases, including ones involving fraud, money laundering and agents of foreign governments, Bloomberg Law reported on Tuesday. Such records often include sensitive information that, in the wrong hands, could be used to compromise criminal and national security investigations, or to identify people who provide information to law enforcement.

“These court records are some of the most valuable documents our government holds, especially for those individuals named in them,” said Jake Braun, who was principal deputy national cyber director at the White House under President Joe Biden. “Unfortunately, the Judiciary is not funded by Congress adequately to protect the data it holds, and we need to address that immediately.”

The court system spent years after a major breach, found in 2020, analyzing its vulnerabilities and developing policy and technology infrastructure fixes, according to a 2023 statement. The US government blamed that intrusion, part of a massive cyberattack that utilized malicious code implanted in software by Texas-based SolarWinds Corp., on Russian hackers. It’s unclear if the more recent compromise of the court system is related.

Read More: Suspected Russian Hackers Targeted DOJ, US Court Filings

Last fall, the courts hired Palo Alto Networks Inc.’s Unit 42 to help it address the recent breach, and the firm completed its work before the end of 2024, according to one of the people. A spokesperson for the Santa Clara, California-based cybersecurity company, Caren Auchman, declined to comment.

In May, the courts said they had begun implementing multifactor authentication, which is widely seen as a basic cybersecurity measure, for its records system. In June, Michael Scudder, a federal judge who leads the courts’ Committee on Information Technology, told the House Judiciary Committee that underinvestment had until recently left the judiciary’s systems “outdated and vulnerable.” Scudder, reached by phone, referred questions to the court spokesperson.

In July, congressional staff, including for the Senate and House judiciary committees, received a briefing on the breach, according to a person familiar with the matter, who said lawmakers have requested a classified follow-up briefing in September.

More than a dozen federal courts across the country have updated their procedures for attorneys filing highly sensitive material since June, with some ordering that all sealed records be submitted as hard copies, Bloomberg Law reported. In the Eastern District of New York, for instance, the chief judge last Friday barred sealed documents related to criminal cases from being uploaded to the electronic records filing system.

--With assistance from Josh Wingrove.

To contact the reporters on this story:
Jake Bleiberg in New York at jbleiberg2@bloomberg.net;
Jamie Tarabay in Washington at jtarabay2@bloomberg.net

To contact the editors responsible for this story:
Andrew Martin at amartin146@bloomberg.net

Jeff Stone

© 2025 Bloomberg L.P. All rights reserved. Used with permission.