Last week The Wall Street Journal reported that two major US law firms had been hacked in the summer of 2015. Why, by whom, and what was stolen is just conjecture. The most prevalent view is that it could be hackers seeking information to game the stock exchange–a view possibly started by WSJ’s own comment, “A case last year shows that hackers have gone after sensitive material to fuel illegal trading.” Knowing who is buying what, and what price they are willing to offer, could lead to some very quick and risk-free profits.
The biggest surprise about these hacks, however, is that there is any surprise at all. More than a year ago Bloomberg reported Stewart Baker commenting, “Virtually all of the biggest [law] firms have faced some sort of data breach.”
Since no company can be secure against targeted attacks, there can be no surprise that law firms will be breached once they are targeted.
Law firms, quite simply, have not been taking sufficient care. Yoram Golandsky, CEO at Israeli firm CybeRisk, gave an example last October. His firm had been asked to execute a red team attack against a prestigious law firm.
“Long story short,” he wrote, “in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mail boxes. We managed to do this in three different ways or attack vectors: (1) we broke their WiFi encryption, (2) we used social engineering against the receptionist to run our malware, and (3) we used social engineering against one of the partners where he was convinced to open a malicious file sent via email.”
Golantsky put this in perspective with another example. “We were asked to red team one of the world’s top ten technology companies. It was hard. It took a team of three more than three weeks to get in. We succeeded and found M&A data. But we could have got that very same data in just a couple of hours if we had targeted the lawyers.”
The reality is we can expect more of these law firm hacks; and many of them may never be known. It’s not just random hackers and Chinese companies doing their own form of due diligence. SecurityWeek asked Golantsky if he thought one law firm might target another because of the multi-million dollar fees at stake in modern technology patent cases.
“I guarantee,” he commented, “that is already happening.” It would seem that not all business people play by good business rules. Golandsky explained that he attended what he thought was a standard business inquiry from a well-known and legitimate Russian businessman. He was given a suitcase full of banknotes; and was told that all he had to do was get the Inbox of a competitor. “There are not many talented young hackers who would turn down $100,000 to do what they enjoy doing,” he said.
The FBI and the Manhattan U.S. attorney’s office are said to be investigating the incidents at the two firms, named by the WSJ as Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.