Attacks/Breaches

4/6/2011
03:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Law Firms Under Siege

Legal eagles present a relatively soft target with troves of valuable corporate intelligence that cyberspies crave

Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients.

Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations.

Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? "Law firms are a means to an end: a defense contractor or utility" that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once.

Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.

Luis Salazar, partner with Infante, Zumpano, Hudson & Miloch in Coral Gables, Fla., says firms are a prime target because they are constantly being solicited for new business, often via email. "Lawyers make money off of new clients. When email messages come in that want to hire them, there is some hope and expectation of 'let me pursue it, and see if it results' in a new client," Salazar says.

Phishing attacks against law firms are nothing new -- the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms.

When Google announced in January 2010 that it had been targeted by hackers out of China, at least one law firm was identified publicly as a victim of the same attack campaign that also hit Adobe, Intel, and other big-name players. That firm was King & Spalding, which specializes in corporate espionage, among other things. King & Spalding did not respond to requests for an interview.

Around the same time, another large firm, Gipson Hoffman & Pancione, said it was hit with a targeted attack using emails purportedly from firm employees that came with Trojan-rigged attachments.

Gipson Hoffman & Pancione is the firm representing the CyberSitter software vendor that sued the People's Republic of China and seven computer vendors for $2.2 billion in damages over the alleged piracy of CyberSitter's software for use in China's Green Dam censoring software. The firm revealed in a statement on Jan. 10 -- a week after the suit was filed -- that it had "come under a cyber attack directed from within China. The attack comes on the heels of widespread reports of Chinese cyber attacks against Google."

This type of attack is often characterized as one waged by an "APT" -- players with nation-state backing that infiltrate networks and stay there for long periods of time exfiltrating as much intelligence and intellectual property as they can. The ATP adversary typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can.

Lucy Thomson, vice chair of the American Bar Association's science and technology law and author of the "Data Breach and Encryption Handbook," says the e-discovery process law firms execute can leave some sensitive corporate information relatively unprotected. "It's possible the information comes from a very secure source, a company with very good security. Then it goes to a law firm, and who knows what kind of security they are going to have," Thomson says.

Firms sometimes use thumb drives to gather this information. "I attended a program on e-discovery where someone from a law firm was talking about ... how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure ... a very informal kind of ad hoc process, with really no security built in," Thomson says.

The legal industry doesn't have its own security regulations, although firms might fall under PCI and HIPAA, depending on the scope of their practices.

Mandiant's Surdu says it's just easier to break into a law firm to get intelligence. "Law firms tend to aggregate key information from their clients ... and it's almost always a smaller organization, with less time and money spent on security than its [clients have]. It's easier to break into a law firm when all the information is piled into a single directory," Surdu says.

And law firms likely probably already had been targets for some time, but only recently are becoming aware of these low-profile, persistent attacks. "I would guess it isn't necessarily new, but just better understood," he says.

But law firms also are getting targeted with neo-Nigerian scams or other classic targeted attacks that are all about extorting money. Infante, Zumpano, Hudson & Miloch's Salazar says he gets phishing emails all the time, many of which land in his spam filter, and the theme is typically the same. In one email Salazar received, for instance, a Hong Kong-based electronics firm asked for his firm's representation in order to help it recover money from a delinquent U.S.-based entity, a fairly believable request.

"They ask where I wire the retainer. And it's usually some scam involving getting that account information" in order to steal money, Salazar says. "Here is a blanket email to as many lawyers as they can, and if they have a 1 percent success rate, they are making money, I suppose."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.