(Credit: Greg Notzelman/iStockphoto.com)

The fact that three Chinese nationals profited off of insider-trading information illicitly obtained through the hacking of two U.S.-based law firms is one of few known certainties in yet another successful instance of law firm cyberattacks.

While the indictment from U.S. Attorney Preet Bharara of the Southern District of New York did not name the law firms infiltrated, The American Lawyer noted that based on the details in the indictment of the breached firms’ involvement in specific mergers and acquisitions (M&A) deals, it can be surmised that the firms are Cravath, Swaine & Moore and Weil, Gotshal & Manges.

For example, Weil represented Intel when the company purchased Altera, while securities filings identify Cravath as Pitney Bowes lead deal counsel. The indictment attributed Intel’s Altera purchase and M&A work concerning Pitney Bowes to the two breached law firms.

Both firms declined to comment on the indictment to The American Lawyer. Both firms, however, have been the target of cyberattacks in the past, with Cravath previously telling The American Lawyer it had experienced a “limited breach of its IT systems” in the summer of 2015, and Weil declining to comment.

The indictment outlines how the three Chinese nationals successfully penetrated and stole M&A information from both breached firms, and in doing so, sheds light on how law firms can insulate themselves from future attacks.

The ‘User Credentials’

The cyberattackers were methodical. In the summer of 2014, they began emailing each other a breakdown of M&A deals in which at least one of the breached firms was involved, including information on what partner was in charge of certain deals. They also shared a document listing the names of 11 partners in one of the firms—information easily obtained, in many cases, from a firm’s website.

Around the time the attackers were sharing this information, the indictment noted, they breached one law firm’s web servers “using the unlawfully obtained credentials” of one of the firms’ employees—a feat they would pull off again in spring 2015 when they breached the second law firm.

While it is not certain how the credentials were obtained, Erik Rasmussen, associate managing director with Kroll’s cybersecurity and investigations practice, noted that “well-crafted phishing emails are more often than not the culprit where user data, such as account name and password, is compromised.”

Phishing, or the attempt to trick users into voluntarily giving up their user credentials or downloading malware, is a highly effective tactic of infiltration, and one that is widely used against legal targets. In December 2016, phishing emails purporting to be from “The Office of The State Attorney Complaint” were sent to lawyers in several U.S. states . These emails were equipped with malicious attachments, leading state bar associations to issue warnings.

Protecting against phishing entails training employees to look out for tell-tale signs of malicious emails. These include domain names not associated with the firm or known clients, ones created on free public services such as “outlook.com,” and suspicious emails with content asking users to open an attachment or click on a link.

Law firms can also rely on email filters or separated “mirror email” servers to stop and scan all emails and attachments that come into the office, or flag any messages that come from newly registered, public or suspicious domain names. Such technology acts as a security checkpoint between a law firm’s email server and the outside world.

Phishing, however, is not the only method the Chinese nationals could have used to acquire law firm user credentials. Such information, after all, could have been previously obtained in the past hacks of widely used web services.

Joseph Abrenio, vice president of commercial services at Delta Risk and president of the Midwest Cyber Security Alliance, noted that information is routinely lost due to what he calls “password negligence”—i.e., when users employ the same password across multiple accounts. In the event of a breach of a website that has millions of users, like Yahoo or Pandora, a hacker may gain access to a user’s account password, which often is the same password the user relies on for other services, like their email or bank accounts. Therefore, Abrenio said, cyberattackers can “link user accounts between multiple systems.”

For legal, this is an immediate threat. Hacked databases from third-party web services, including Dropbox and Yahoo, were found to contain email addresses from hundreds of law firms , including Weil and Cravath. For these sites, users employed firm emails as their “login name.”

While this does not necessarily mean that the email addresses were from current or actual law firms employees, or that the third-party web service accounts were accessible from the same password used in the law firm business accounts, it does suggest that stealing user credentials is possible without targeting a law firm directly.

While Kroll’s Rasmussen noted the risks of law firms being infiltrated this way comes from firms “not incorporating security controls like multifactor [password] authentication,” it may also stem from firms failing to mitigate the dangers of shadow IT use in the office, and not properly instilling security awareness in their employees.

The Exfiltration

In the case of the M&A hacks outlined in the indictment, once inside the law firms’ servers, cyberattackers planted malware in the network, and extracted sensitive M&A data to their possession—sometimes in large tranches. The indictment notes, for example, that “more than 40 gigabytes of data” was taken from one law firm “over the course of at least eight days.”

Such theft was possible, Rasmussen explained, because it is not uncommon to see law firms unequipped to notice such large data transfer activity in their network.

“Network monitoring is a mostly proactive security control that retains a lot of data and requires a large amount of human capital to digest, triage and analyze,” he said, adding that this may be a too much of a cost for legal to shoulder.

“Many law firms still must consider the cost benefit of enlarging their internal resources to throw at a potential problem, instead of a known problem, as some firms feel they are not at risk. Current client needs often trump security needs,” he added.

Supporting his point, Novitex and the Association of Legal Administrators (ALA) recently conducted a survey of over 800 law firms and legal administration professionals worldwide and found that reducing cybersecurity risk came in a distant fourth among top concerns behind increasing net profits, attracting new clients, and bolstering revenues.

How the cyberattackers ascertained that they could take such large tranches of data from the law firms is unknown. But the indictment does note that the attackers also “attempted to cause authorized access to the networks and servers” of several other law firms engaged in M&A work with the two breached firms “on more than 100,000 occasions.”

Delta Risk’s Abrenio explained that such attempts can in some cases be “simple port scans, which attackers use to locate systems and determine what is running on the system—for example, a web server.” This suggests the possibility that the cyberattacks could assess firms’ cybersecurity and IT infrastructure before planning an attack or exfiltration.

The access attempts may have also been “brute force” attacks, Abrenio added, in which hackers “try combinations of usernames and passwords using automated tools, and it’s possible to try 100,000 combinations in minutes.”

While this is a commonly used tactic in cyberattacks, it is generally not employed by “advanced attackers,” he said, who “will be surgical in what they look for and what they take, thereby reducing the risk of detection.”

“A law firm is not going to keep an advanced attacker from getting in the network,” Abrenio added.

“Therefore, the goal should be to limit what an attacker can do once they get inside the network.”

To the extent that cyberattacks such as the ones perpetrated on two M&A law firms are inevitable, Abrenio stressed the need to secure confidential and sensitive information through the use of encryption. While this is usually done when files are in transition, it is equally important for data sitting untouched in storage, which is known as being “at rest.”

“If data encrypted at rest, that is data files on your computer desktop, on the file server, or emails, then attackers cannot read the data even if they break into the system and have access to the files,” he said.

Copyright Legal Tech News. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.