Executive Summary
In late 2023, a Tennessee man illicitly accessed the U.S. Supreme Court’s restricted electronic filing system, as well as accounts at AmeriCorps and the Department of Veterans Affairs, through the repeated use of stolen credentials. Over multiple months, Nicholas Moore gained unauthorized entry to sensitive government systems at least 25 times, collecting and exfiltrating personal, legal, and health data. He then publicized this sensitive information via his Instagram handle, @ihackedthegovernment, exposing government, AmeriCorps, and veteran data, including personal identifiers and privileged health information.
This case underscores a rise in breaches involving compromised credentials, lateral movement, and public boasting on social media. With persistent attacker focus on governmental targets and data exfiltration, it exemplifies the ongoing risks of inadequate east-west and data-in-transit security, as well as the compliance pressure on federal agencies to shore up access controls and insider threat monitoring.
Why This Matters Now
The Supreme Court and agency breaches shine a spotlight on the urgent need for robust credential management and access controls. Attackers increasingly exploit reused or weak credentials to bypass defenses, often targeting sensitive public sector data for reputational or ideological impact. This incident highlights the importance of proactive threat detection and internal segmentation at a time of heightened scrutiny on public infrastructure security.
Attack Path Analysis
The attacker initially compromised cloud applications and agency portals using stolen valid credentials. With these credentials, the adversary obtained access typical of the victim accounts, enabling further enumeration of sensitive data. Lateral movement occurred as the attacker accessed multiple accounts and distinct cloud services (across Supreme Court, AmeriCorps, and VA systems) using different sets of compromised logins. The attacker established persistence and covert communication via repeated logins and potential use of anonymizing services. Data was then exfiltrated by accessing confidential records and exporting personal, sensitive information outside the network. Finally, the attacker publicly leaked the stolen data and boasted of the breach, leading to organizational and reputational impact.
Kill Chain Progression
Initial Compromise
Description
The attacker gained unauthorized access to cloud-based case management and government service portals by leveraging previously compromised valid credentials.
Related CVEs
CVE-2023-XXXX
CVSS 7.5Unauthorized access to the U.S. Supreme Court's electronic filing system due to compromised user credentials.
Affected Products:
U.S. Supreme Court Electronic Filing System – N/A
Exploit Status:
exploited in the wildCVE-2023-YYYY
CVSS 7.5Unauthorized access to AmeriCorps' MyAmeriCorps portal due to compromised user credentials.
Affected Products:
AmeriCorps MyAmeriCorps Portal – N/A
Exploit Status:
exploited in the wildCVE-2023-ZZZZ
CVSS 7.5Unauthorized access to the Department of Veterans Affairs' My HealtheVet portal due to compromised user credentials.
Affected Products:
Department of Veterans Affairs My HealtheVet Portal – N/A
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Initial MITRE ATT&CK mapping for incident SEO/filtering; full enrichment can follow with detailed artifact alignment.
Valid Accounts
Brute Force
User Execution: Malicious File
System Information Discovery
Data from Cloud Storage
Exfiltration Over Web Service
Gather Victim Identity Information
Gather Victim Org Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 Rev.5 – Account Management
Control ID: AC-2
PCI DSS 4.0 – Secure Authentication and Account Management
Control ID: 8.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Access Control and Asset Management
Control ID: Art. 21(2)(a)
CISA Zero Trust Maturity Model 2.0 – Strong Authentication and Credential Protection
Control ID: Identity Pillar - Authentication
HIPAA Security Rule – Workforce Security
Control ID: 164.308(a)(3)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct breach of Supreme Court filing systems and federal agencies demonstrates critical vulnerabilities in government infrastructure requiring enhanced zero trust segmentation and encrypted traffic controls.
Health Care / Life Sciences
VA health system breach exposing private medical records highlights urgent need for egress security controls and threat detection to prevent unauthorized PHR data exfiltration.
Legal Services
Supreme Court electronic filing system compromise threatens attorney-client privilege and case confidentiality, requiring enhanced multicloud visibility and identity-based policy enforcement for legal platforms.
Information Technology/IT
Credential-based attacks across multiple federal systems demonstrate need for comprehensive threat detection, anomaly response capabilities, and secure hybrid connectivity to prevent lateral movement.
Sources
- Hacker admits to leaking stolen Supreme Court data on Instagramhttps://www.bleepingcomputer.com/news/security/hacker-admits-to-leaking-stolen-supreme-court-data-on-instagram/Verified
- Tennessee Man Pleads in Hacking U.S. Supreme Court, AmeriCorps, and VA Health Systemhttps://www.justice.gov/usao-dc/pr/tennessee-man-pleads-hacking-us-supreme-court-americorps-and-va-health-systemVerified
- Tennessee man pleads guilty to repeatedly hacking Supreme Court's filing systemhttps://www.washingtonpost.com/politics/2026/01/16/nicholas-moore-supreme-court-hacked-filing-system/5b6110e4-f322-11f0-a4dc-effc74cb25af_story.htmlVerified
- Supreme Court hacker posted stolen government data on Instagramhttps://techcrunch.com/2026/01/16/supreme-court-hacker-posted-stolen-government-data-on-instagram/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Cloud Network Security Framework controls such as zero trust segmentation, strong east-west traffic security, egress enforcement, and detailed anomaly detection would have limited attacker movement, raised detection fidelity, and could have blocked data exfiltration to unauthorized destinations. These controls provide continuous monitoring and least privilege barriers, significantly reducing the attack surface and the impact caused by credential compromise.
Control: Zero Trust Segmentation
Mitigation: Limits initial access scope by restricting communication based on identity and least privilege.
Control: Zero Trust Segmentation
Mitigation: Restricts lateral data access by enforcing least privilege and service identity boundaries.
Control: East-West Traffic Security
Mitigation: Prevents unauthorized workload-to-workload or service-to-service access across regions.
Control: Threat Detection & Anomaly Response
Mitigation: Detects repeated, anomalous, or out-of-policy access attempts and triggers alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents and logs outgoing data flows to unauthorized destinations.
Rapidly detects, contains, and enables response to policy violations and leaks across environments.
Impact at a Glance
Affected Business Functions
- Legal Document Management
- Volunteer Management
- Veteran Health Records Management
Estimated downtime: 7 days
Estimated loss: $500,000
Personal information of individuals associated with the U.S. Supreme Court, AmeriCorps, and the Department of Veterans Affairs was exposed, including names, dates of birth, email addresses, home addresses, phone numbers, citizenship status, veteran status, service history, and health information.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce identity-based segmentation for all cloud workloads and SaaS access to prevent broad lateral movement by compromised users.
- • Deploy granular egress policy controls to detect and block unauthorized data exfiltration from all cloud and SaaS connected workloads.
- • Enhance east-west traffic inspection within and across clouds to spot and interrupt attacker pivoting and anomalous access.
- • Leverage real-time threat detection, traffic baselining, and anomaly alerting to rapidly surface credential misuse or repeat suspicious logins.
- • Centralize policy governance and visibility across multi-cloud and SaaS environments to ensure consistent zero trust enforcement and rapid incident response.
