Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/6/2011
03:47 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Law Firms Under Siege

Legal eagles present a relatively soft target with troves of valuable corporate intelligence that cyberspies crave

Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients.

Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations.

Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? "Law firms are a means to an end: a defense contractor or utility" that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once.

Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.

Luis Salazar, partner with Infante, Zumpano, Hudson & Miloch in Coral Gables, Fla., says firms are a prime target because they are constantly being solicited for new business, often via email. "Lawyers make money off of new clients. When email messages come in that want to hire them, there is some hope and expectation of 'let me pursue it, and see if it results' in a new client," Salazar says.

Phishing attacks against law firms are nothing new -- the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms.

When Google announced in January 2010 that it had been targeted by hackers out of China, at least one law firm was identified publicly as a victim of the same attack campaign that also hit Adobe, Intel, and other big-name players. That firm was King & Spalding, which specializes in corporate espionage, among other things. King & Spalding did not respond to requests for an interview.

Around the same time, another large firm, Gipson Hoffman & Pancione, said it was hit with a targeted attack using emails purportedly from firm employees that came with Trojan-rigged attachments.

Gipson Hoffman & Pancione is the firm representing the CyberSitter software vendor that sued the People's Republic of China and seven computer vendors for $2.2 billion in damages over the alleged piracy of CyberSitter's software for use in China's Green Dam censoring software. The firm revealed in a statement on Jan. 10 -- a week after the suit was filed -- that it had "come under a cyber attack directed from within China. The attack comes on the heels of widespread reports of Chinese cyber attacks against Google."

This type of attack is often characterized as one waged by an "APT" -- players with nation-state backing that infiltrate networks and stay there for long periods of time exfiltrating as much intelligence and intellectual property as they can. The ATP adversary typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can.

Lucy Thomson, vice chair of the American Bar Association's science and technology law and author of the "Data Breach and Encryption Handbook," says the e-discovery process law firms execute can leave some sensitive corporate information relatively unprotected. "It's possible the information comes from a very secure source, a company with very good security. Then it goes to a law firm, and who knows what kind of security they are going to have," Thomson says.

Firms sometimes use thumb drives to gather this information. "I attended a program on e-discovery where someone from a law firm was talking about ... how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure ... a very informal kind of ad hoc process, with really no security built in," Thomson says.

The legal industry doesn't have its own security regulations, although firms might fall under PCI and HIPAA, depending on the scope of their practices.

Mandiant's Surdu says it's just easier to break into a law firm to get intelligence. "Law firms tend to aggregate key information from their clients ... and it's almost always a smaller organization, with less time and money spent on security than its [clients have]. It's easier to break into a law firm when all the information is piled into a single directory," Surdu says.

And law firms likely probably already had been targets for some time, but only recently are becoming aware of these low-profile, persistent attacks. "I would guess it isn't necessarily new, but just better understood," he says.

But law firms also are getting targeted with neo-Nigerian scams or other classic targeted attacks that are all about extorting money. Infante, Zumpano, Hudson & Miloch's Salazar says he gets phishing emails all the time, many of which land in his spam filter, and the theme is typically the same. In one email Salazar received, for instance, a Hong Kong-based electronics firm asked for his firm's representation in order to help it recover money from a delinquent U.S.-based entity, a fairly believable request.

"They ask where I wire the retainer. And it's usually some scam involving getting that account information" in order to steal money, Salazar says. "Here is a blanket email to as many lawyers as they can, and if they have a 1 percent success rate, they are making money, I suppose."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...