Dark Reading is reporting that law firms are being attacked by stealthy, under the radar, targeted attacks looking to gather and exfiltrate intelligence on their corporate clients at an increasing rate. Forensics investigators at Mandiant are seeing twice as many targeted attacks involving advanced persistent threats (APT) against law firms than ever. It is highly likely that many more law firms and other companies are being attacked by this scourge and don’t even realize it.
Law firms appear to provide a means to an end; the actual target is a client that they represent. Firms that handle mergers and acquisitions or civil litigation are getting hit hard, particularly those with deals involving Chinese companies. Attackers find law firms an attractive and relatively soft target compared to the actual targets, for gathering the intelligence they are after because they generally have a lower security posture than the actual target, and are constantly being solicited for new business, often via email. When email messages come in seeking to hire the law firm, they will often pursue it to see if it results in a new client. New clients are where law firms make their real money.
The e-discovery process law firms execute can leave sensitive client information relatively unprotected. Firms sometimes use USB drives to gather information and take it back to the law firm, where it is potentially handled and the data stored in an insecure manner. There are common guidelines available, however the legal industry doesn’t have specific data handling security regulations.
According to the article, when Google announced that it had been targeted by hackers operating out of China in January 2010, the law firm King & Spalding, which specializes in corporate espionage, was identified publicly as a victim of the same attack campaign. Shortly after, Gipson Hoffman & Pancione said it was hit with a targeted attack using spoofed emails from firm employees that contained Trojanized attachments.
I hope my friends and colleagues at Canadian law firms and the Bar Association are paying attention to this very real threat, and are taking the necessary precautions to harden systems, educate their users, and monitor their network traffic.