Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:47 PM
Connect Directly

Law Firms Under Siege

Legal eagles present a relatively soft target with troves of valuable corporate intelligence that cyberspies crave

Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients.

Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations.

Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? "Law firms are a means to an end: a defense contractor or utility" that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once.

Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.

Luis Salazar, partner with Infante, Zumpano, Hudson & Miloch in Coral Gables, Fla., says firms are a prime target because they are constantly being solicited for new business, often via email. "Lawyers make money off of new clients. When email messages come in that want to hire them, there is some hope and expectation of 'let me pursue it, and see if it results' in a new client," Salazar says.

Phishing attacks against law firms are nothing new -- the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms.

When Google announced in January 2010 that it had been targeted by hackers out of China, at least one law firm was identified publicly as a victim of the same attack campaign that also hit Adobe, Intel, and other big-name players. That firm was King & Spalding, which specializes in corporate espionage, among other things. King & Spalding did not respond to requests for an interview.

Around the same time, another large firm, Gipson Hoffman & Pancione, said it was hit with a targeted attack using emails purportedly from firm employees that came with Trojan-rigged attachments.

Gipson Hoffman & Pancione is the firm representing the CyberSitter software vendor that sued the People's Republic of China and seven computer vendors for $2.2 billion in damages over the alleged piracy of CyberSitter's software for use in China's Green Dam censoring software. The firm revealed in a statement on Jan. 10 -- a week after the suit was filed -- that it had "come under a cyber attack directed from within China. The attack comes on the heels of widespread reports of Chinese cyber attacks against Google."

This type of attack is often characterized as one waged by an "APT" -- players with nation-state backing that infiltrate networks and stay there for long periods of time exfiltrating as much intelligence and intellectual property as they can. The ATP adversary typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can.

Lucy Thomson, vice chair of the American Bar Association's science and technology law and author of the "Data Breach and Encryption Handbook," says the e-discovery process law firms execute can leave some sensitive corporate information relatively unprotected. "It's possible the information comes from a very secure source, a company with very good security. Then it goes to a law firm, and who knows what kind of security they are going to have," Thomson says.

Firms sometimes use thumb drives to gather this information. "I attended a program on e-discovery where someone from a law firm was talking about ... how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure ... a very informal kind of ad hoc process, with really no security built in," Thomson says.

The legal industry doesn't have its own security regulations, although firms might fall under PCI and HIPAA, depending on the scope of their practices.

Mandiant's Surdu says it's just easier to break into a law firm to get intelligence. "Law firms tend to aggregate key information from their clients ... and it's almost always a smaller organization, with less time and money spent on security than its [clients have]. It's easier to break into a law firm when all the information is piled into a single directory," Surdu says.

And law firms likely probably already had been targets for some time, but only recently are becoming aware of these low-profile, persistent attacks. "I would guess it isn't necessarily new, but just better understood," he says.

But law firms also are getting targeted with neo-Nigerian scams or other classic targeted attacks that are all about extorting money. Infante, Zumpano, Hudson & Miloch's Salazar says he gets phishing emails all the time, many of which land in his spam filter, and the theme is typically the same. In one email Salazar received, for instance, a Hong Kong-based electronics firm asked for his firm's representation in order to help it recover money from a delinquent U.S.-based entity, a fairly believable request.

"They ask where I wire the retainer. And it's usually some scam involving getting that account information" in order to steal money, Salazar says. "Here is a blanket email to as many lawyers as they can, and if they have a 1 percent success rate, they are making money, I suppose."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
MyQ Server in MyQ X Smart before 8.2 allows remote code execution by unprivileged users because administrative session data can be read in the %PROGRAMFILES%\MyQ\PHP\Sessions directory. The "Select server file" feature is only intended for administrators but actually does not require autho...
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log_edit.php files failing to filter the csa_to_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has web site physical path leakage vulnerability.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has an unauthorized access vulnerability in default_user_edit.php, remote attackers can exploit this vulnerability to escalate to admin privileges.
PUBLISHED: 2021-06-21
White Shark System (WSS) 1.3.2 has a sensitive information disclosure vulnerability. The if_get_addbook.php file does not have an authentication operation. Remote attackers can obtain username information for all users of the current site.