Connect with us

Hi, what are you looking for?


Incident Response

Why Are Law Firms Targeted by Cyberattacks?

Last week The Wall Street Journal reported that two major US law firms had been hacked in the summer of 2015. Why, by whom, and what was stolen is just conjecture.

Last week The Wall Street Journal reported that two major US law firms had been hacked in the summer of 2015. Why, by whom, and what was stolen is just conjecture. The most prevalent view is that it could be hackers seeking information to game the stock exchange–a view possibly started by WSJ’s own comment, “A case last year shows that hackers have gone after sensitive material to fuel illegal trading.” Knowing who is buying what, and what price they are willing to offer, could lead to some very quick and risk-free profits.

The biggest surprise about these hacks, however, is that there is any surprise at all. More than a year ago Bloomberg reported Stewart Baker commenting, “Virtually all of the biggest [law] firms have faced some sort of data breach.”

Since no company can be secure against targeted attacks, there can be no surprise that law firms will be breached once they are targeted. 

Law Firms Targeted by Cyber AttacksLaw firms, quite simply, have not been taking sufficient care. Yoram Golandsky, CEO at Israeli firm CybeRisk, gave an example last October. His firm had been asked to execute a red team attack against a prestigious law firm.

“Long story short,” he wrote, “in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mail boxes. We managed to do this in three different ways or attack vectors: (1) we broke their WiFi encryption, (2) we used social engineering against the receptionist to run our malware, and (3) we used social engineering against one of the partners where he was convinced to open a malicious file sent via email.”

Golantsky put this in perspective with another example. “We were asked to red team one of the world’s top ten technology companies. It was hard. It took a team of three more than three weeks to get in. We succeeded and found M&A data. But we could have got that very same data in just a couple of hours if we had targeted the lawyers.”

The reality is we can expect more of these law firm hacks; and many of them may never be known. It’s not just random hackers and Chinese companies doing their own form of due diligence. SecurityWeek asked Golantsky if he thought one law firm might target another because of the multi-million dollar fees at stake in modern technology patent cases.

“I guarantee,” he commented, “that is already happening.” It would seem that not all business people play by good business rules. Golandsky explained that he attended what he thought was a standard business inquiry from a well-known and legitimate Russian businessman. He was given a suitcase full of banknotes; and was told that all he had to do was get the Inbox of a competitor. “There are not many talented young hackers who would turn down $100,000 to do what they enjoy doing,” he said.

The FBI and the Manhattan U.S. attorney’s office are said to be investigating the incidents at the two firms, named by the WSJ as Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP.

Advertisement. Scroll to continue reading.
Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights