Law firms continue to be vulnerable to state-sponsored incursions from China, Russia and Iran, as demonstrated by a recent report detailing an alleged Chinese hack into the systems of a U.S. firm known for its expertise in intellectual property.
Internet technology company Recorded Future reported that the unnamed law firm, with clients in the pharmaceutical, technology, electronics, biomedical and automotive sectors, was one of three targets of a group of Chinese hackers between November 2017 and September 2018. The other victims were an international apparel company and a Norwegian cloud services provider.
In all three incidents, researched found that the hackers—a group known as APT10 that is backed by a unit of the Chinese Ministry of State Security—used stolen user credentials to access third-party software used by the companies, and leveraged that access to further encroach upon internal systems.
The law firm was penetrated first, in late 2017, followed by the apparel company a few months later and Norway’s Visma in August 2018. In spite of that staggered order, and the fact that Recorded Future research partner Rapid 7 discovered the breach into the apparel company using clues garnered while probing the incursion into the law firm, the attacks were conducted independently of each other.
“It wasn’t a cascade,” said Priscilla Moriuchi, director of strategic threat management at Recorded Future. “They were all compromised in parallel.”
As law firms and other businesses are relying more on third-party providers, like remote-access applications Citrix and LogMeIn, they have increased their vulnerability.
And law firms may be especially appealing targets, not because of who they are, but because of the work they do for their clients. (The Recorded Future report described the targeted firm as “a U.S. law firm specializing in intellectual property law” that “has a dedicated China practice aimed at assisting Chinese companies entering the U.S. market.”)
“They are such a great target because they have access to a good deal of non-public information,” Moriuchi said of law firms in general. “Companies may be the ultimate target, and law firms are just a way to get the data.”
This information is appealing not just to criminal entities but also to state actors.
“We talk a lot about intellectual property theft, but for law firms, the type of data they have is a much broader suite of intellectual property,” Moriuchi said, citing strategic plans, details on pending mergers and acquisitions, and documents laying out businesses’ legal responsibilities.
“All these things are useful to give an adversary this unfair advantage,” she added.
One example dates back to 2010, when an Australian resources conglomerate was in the midst of an effort to acquire a Canadian producer of potash. Hackers linked to computers in China succeeded in breaching the systems of several Canadian law firms involved in the transaction. Observers speculated that a chemical company owned by the Chinese government would be a loser if the deal went through. But after the hackers gained access to the sensitive information about the transaction, it fell apart.
Just as in the latest cyber attack, the names of those Canadian firms were never revealed. But the high odds that the public will likely never be able to tie a firm to a specific breach should be cold comfort.
“They live in the same threat environment as their clients,” Moriuchi said. “If they work with a lot of defense contractors or aerospace manufacturers or tech companies, those are sophisticated targets for nations like China, Russia and Iran.”
If step one is recognizing that they are desirable targets, step two for firms is to become more vigilant about managing their supply chain—the third-party apps they may rely on to run their systems. One part of this is increased attention to permissions: distinguishing between regular users, administrative users and those who need special access—a process known as network segmentation.
Moriuchi also cautioned that law firms aren’t just high-value targets, they are efficient targets, thanks to their large volume of clients.
“Attackers are not just victimizing that firm for one potential target, but for a lot of them,” she said. “They’ve got an extra responsibility to make sure their networks are protected.”