It’s easy to overlook how hacking-for-hire (especially phishing emails; so easy to set up) remains a viable business. It isn’t just the U.S. Supreme Court dismantling the American judicial system. The corporate legal industrial complex wants to get in on the act, too.
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
1 July 2022 – Earlier this year we noted that one of our cybersecurity partners was involved in a large study of how law firms were a principal target of professionals in the “hacking-for-hire” industry. We were not allowed to discuss it due to the obvious confidential nature of the study but Reuters has now published the details (link below).
This is not knew. Regular hackers and “hacking-for-hire” groups have targeted thousands of individuals and law firms and organisations and corporations on six continents for years – with a particular focus on U.S. law firms. In the U.S. this was first picked up as long ago as 2015 when Chinese hackers were found to have breached an Am Law 100 firm based in New York City, and an eDiscovery document review vendor with an electronic document review center. Via a phishing exercise, the hackers used a law firm employee’s credentials, installing malware on the law firm’s servers to access emails from lawyers, including a partner responsible for a major acquisition, and accessed the review center.
But this turned out to be just the tip of the iceberg. The FBI found targeted individuals at scores of major U.S. and global law law firms. Lawyers working on corporate litigation and financial services were disproportionately represented, with targets in many countries including Belgium, France, Israel, Norway, Switzerland, the U.S., and the UK.
The “hackers-for-hire” conducted commercial espionage on behalf of clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy – sometimes stating it was a ransomware attack to cover the true nature of their attack: data theft on behalf of a specific client. It was the usual phishing ruse: inviting subjects to give security details in replies to emails from apparently reputable sources.
But the study I have noted in the first paragraph above involves Indian cyber attack mercenaries and it involved lawsuits around the world. It is an open secret that there are private investigators who use Indian hacker groups and other groups to target opposition in litigation battles.
Among the law firms targeted were global practices, including U.S.-based Baker McKenzie, Cooley and Cleary Gottlieb. Major European firms, including London’s Clyde & Co. and Geneva-based arbitration specialist LALIVE, were also hit. The legal cases identified by Reuters varied in profile and importance. Some involved obscure personal disputes. Others featured multinational companies with fortunes at stake.
The email trove provides a startling look at how lawyers and their clients are targeted by cyber mercenaries, but it leaves some questions unanswered. The list doesn’t show who hired the spies, for example, and it wasn’t always clear which hacking were successful or, if so, how the stolen information was used. Still, as noted in the article, the attempts to steal privileged information showed these attacks had real potential to undermine the legal process. So it isn’t just the U.S. Supreme Court dismantling the American judicial system. The corporate legal industrial complex wants to get in on the act, too.
Needless to say, Cleary declined comment. The five law firms did not return messages left by Reuters reporters. You can read the full Reuters article by clicking here.
In a way, the ease of hacking a law firm comes as no surprise. The latest PwC Law Firms’ Survey notes that cybersecurity remains a key challenge for law firms, and the sector is increasingly being targeted as firms hold both a wealth of sensitive data and large amounts of client money. Too often law firms are run by attorneys with little to no background when it comes to cybersecurity or even security best practices as a baseline. Even if there is a larger management structure in place, areas of cybersecurity are left to the attorney’s discretion. Notes the PwC report: “These are lawyers without the required cybersecurity expertise who simply don’t have the additional time to brush up on building a sound security posture from scratch. Meanwhile, attorneys have inside details on mergers, patents and private or personal information, all waiting for the next cyber attack”.
I asked our cybersecurity partner its view and the response was:
“Oh, we hear ‘best practices’ bandied about at every law firm cybersecurity meeting we attend, every law conference we attend – all to no avail. And what do we find when we go into a law firm? Minimum to no use of file encryption, email encryption, whole/full disk encryption. In 3 law firms there was no use of two-factor authentication, intrusion prevention, intrusion detection, remote device management and wiping, web filtering, employee monitoring, or biometric login. All easy to employ. Why not employed? We were always told ‘it’s the cost’.
And you asked about eDiscovery. The archaic process of eDiscovery makes it doubly vulnerable to hacking and data breach. This whole system of e-discovery document repositories, with data going everywhere. The client collecting data, sending it to its outside counsel, who is sending that data to vendors and other colleagues throughout the firm. All via the most insecure channels you can imagine.”
With that kind of thinking, is anybody surprised you can pretty much just walk into a law firm’s data silo?”
