When Cyber Criminals Come for the Courts

Serious cyber incidents struck state courts in Alaska, Georgia and Texas in the past couple years, with one leaving Alaska’s courts a month without Internet and four months without connection to the executive branch.

During the National Center for State Courts (NCSC) eCourts conference in Las Vegas this week, court administrators and CIOs explained what went wrong and the lessons they learned about recovery and prevention.


In May 2020 a ransomware attack hit Texas courts in the early morning hours, while IT staff were asleep. It affected servers at each of the state’s two high courts and at its 14 intermediate appellate courts, explained Casey Kennedy, CIO for Texas’ Office of Court Administration.

Hackers likely used a phishing campaign to take over a regular user email account, then used a zero-day exploit to grant the account administrator-level privileges. From there, they moved laterally to find a juicier target.

“We could watch them jump from server to server until they found our domain controller … the machine that stores all your usernames and all your passwords,” Kennedy said.

Attackers then attempted to introduce a variety of viruses, but the anti-virus thwarted most attempts — until perpetrators switched to a more subtle, living-off-the-land style attack.

Attackers opened the Notepad application and suspended the application from memory to stop it running. They next wrote a virus into Notepad in memory and then unsuspended it, Kennedy said. This tricked the system into thinking it was just running a legitimate program — Notepad — when in truth it was now running a virus. Perpetrators were able to then deploy the virus throughout computers on the network.


There was one silver lining, though. Following a cyber incident, the non-IT sides of government tend to become newly receptive to cybersecurity proposals, and abandon complaints about defense measures causing frictions. That mindset lasts about six months, Kennedy said, and is an opportunity to push through policies like strong password requirements, mandatory multifactor…