Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/6/2011
03:47 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Law Firms Under Siege

Legal eagles present a relatively soft target with troves of valuable corporate intelligence that cyberspies crave

Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients.

Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations.

Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? "Law firms are a means to an end: a defense contractor or utility" that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once.

Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.

Luis Salazar, partner with Infante, Zumpano, Hudson & Miloch in Coral Gables, Fla., says firms are a prime target because they are constantly being solicited for new business, often via email. "Lawyers make money off of new clients. When email messages come in that want to hire them, there is some hope and expectation of 'let me pursue it, and see if it results' in a new client," Salazar says.

Phishing attacks against law firms are nothing new -- the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms.

When Google announced in January 2010 that it had been targeted by hackers out of China, at least one law firm was identified publicly as a victim of the same attack campaign that also hit Adobe, Intel, and other big-name players. That firm was King & Spalding, which specializes in corporate espionage, among other things. King & Spalding did not respond to requests for an interview.

Around the same time, another large firm, Gipson Hoffman & Pancione, said it was hit with a targeted attack using emails purportedly from firm employees that came with Trojan-rigged attachments.

Gipson Hoffman & Pancione is the firm representing the CyberSitter software vendor that sued the People's Republic of China and seven computer vendors for $2.2 billion in damages over the alleged piracy of CyberSitter's software for use in China's Green Dam censoring software. The firm revealed in a statement on Jan. 10 -- a week after the suit was filed -- that it had "come under a cyber attack directed from within China. The attack comes on the heels of widespread reports of Chinese cyber attacks against Google."

This type of attack is often characterized as one waged by an "APT" -- players with nation-state backing that infiltrate networks and stay there for long periods of time exfiltrating as much intelligence and intellectual property as they can. The ATP adversary typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can.

Lucy Thomson, vice chair of the American Bar Association's science and technology law and author of the "Data Breach and Encryption Handbook," says the e-discovery process law firms execute can leave some sensitive corporate information relatively unprotected. "It's possible the information comes from a very secure source, a company with very good security. Then it goes to a law firm, and who knows what kind of security they are going to have," Thomson says.

Firms sometimes use thumb drives to gather this information. "I attended a program on e-discovery where someone from a law firm was talking about ... how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure ... a very informal kind of ad hoc process, with really no security built in," Thomson says.

The legal industry doesn't have its own security regulations, although firms might fall under PCI and HIPAA, depending on the scope of their practices.

Mandiant's Surdu says it's just easier to break into a law firm to get intelligence. "Law firms tend to aggregate key information from their clients ... and it's almost always a smaller organization, with less time and money spent on security than its [clients have]. It's easier to break into a law firm when all the information is piled into a single directory," Surdu says.

And law firms likely probably already had been targets for some time, but only recently are becoming aware of these low-profile, persistent attacks. "I would guess it isn't necessarily new, but just better understood," he says.

But law firms also are getting targeted with neo-Nigerian scams or other classic targeted attacks that are all about extorting money. Infante, Zumpano, Hudson & Miloch's Salazar says he gets phishing emails all the time, many of which land in his spam filter, and the theme is typically the same. In one email Salazar received, for instance, a Hong Kong-based electronics firm asked for his firm's representation in order to help it recover money from a delinquent U.S.-based entity, a fairly believable request.

"They ask where I wire the retainer. And it's usually some scam involving getting that account information" in order to steal money, Salazar says. "Here is a blanket email to as many lawyers as they can, and if they have a 1 percent success rate, they are making money, I suppose."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)