Law firms are increasingly getting hit by stealthy, low-profile targeted attacks going after intelligence on their corporate clients.
Forensics investigators at Mandiant are working on twice as many targeted attacks by so-called advanced persistent threat (APT) adversaries against law firms than in years past; of the commercial victims Mandiant investigated during the past 18 months or so, 10 percent were law firms. And those are only the cases Mandiant sees: Its executives say many more go unnoticed by the victim organizations.
Why are law firms joining the ranks of federal government agencies, defense contractors, and technology companies, like Google and RSA, as targets for APTs? "Law firms are a means to an end: a defense contractor or utility" that they represent, for example, says Steve Surdu, vice president of professional services at Mandiant. Surdu says while he worked on just a handful of cases where law firms were hit, he now sees a dozen to 15 at once.
Attackers find law firms an attractive and relatively soft target for gathering the intelligence they want on a new weapons system or software, for example. Firms that represent clients in mergers and acquisitions, or civil litigation, are getting hit, including when their clients are involved with deals involving Chinese companies.
Luis Salazar, partner with Infante, Zumpano, Hudson & Miloch in Coral Gables, Fla., says firms are a prime target because they are constantly being solicited for new business, often via email. "Lawyers make money off of new clients. When email messages come in that want to hire them, there is some hope and expectation of 'let me pursue it, and see if it results' in a new client," Salazar says.
Phishing attacks against law firms are nothing new -- the FBI warned firms back in November 2009 of a massive phishing attack aimed at firms.
When Google announced in January 2010 that it had been targeted by hackers out of China, at least one law firm was identified publicly as a victim of the same attack campaign that also hit Adobe, Intel, and other big-name players. That firm was King & Spalding, which specializes in corporate espionage, among other things. King & Spalding did not respond to requests for an interview.
Around the same time, another large firm, Gipson Hoffman & Pancione, said it was hit with a targeted attack using emails purportedly from firm employees that came with Trojan-rigged attachments.
Gipson Hoffman & Pancione is the firm representing the CyberSitter software vendor that sued the People's Republic of China and seven computer vendors for $2.2 billion in damages over the alleged piracy of CyberSitter's software for use in China's Green Dam censoring software. The firm revealed in a statement on Jan. 10 -- a week after the suit was filed -- that it had "come under a cyber attack directed from within China. The attack comes on the heels of widespread reports of Chinese cyber attacks against Google."
This type of attack is often characterized as one waged by an "APT" -- players with nation-state backing that infiltrate networks and stay there for long periods of time exfiltrating as much intelligence and intellectual property as they can. The ATP adversary typically hails from various organized groups out of China who are hell-bent on snatching as much information as they can.
Lucy Thomson, vice chair of the American Bar Association's science and technology law and author of the "Data Breach and Encryption Handbook," says the e-discovery process law firms execute can leave some sensitive corporate information relatively unprotected. "It's possible the information comes from a very secure source, a company with very good security. Then it goes to a law firm, and who knows what kind of security they are going to have," Thomson says.
Firms sometimes use thumb drives to gather this information. "I attended a program on e-discovery where someone from a law firm was talking about ... how [people] were collecting information on thumb drives and then taking it back to the law firm. It was very insecure ... a very informal kind of ad hoc process, with really no security built in," Thomson says.
The legal industry doesn't have its own security regulations, although firms might fall under PCI and HIPAA, depending on the scope of their practices.
Mandiant's Surdu says it's just easier to break into a law firm to get intelligence. "Law firms tend to aggregate key information from their clients ... and it's almost always a smaller organization, with less time and money spent on security than its [clients have]. It's easier to break into a law firm when all the information is piled into a single directory," Surdu says.
And law firms likely probably already had been targets for some time, but only recently are becoming aware of these low-profile, persistent attacks. "I would guess it isn't necessarily new, but just better understood," he says.
But law firms also are getting targeted with neo-Nigerian scams or other classic targeted attacks that are all about extorting money. Infante, Zumpano, Hudson & Miloch's Salazar says he gets phishing emails all the time, many of which land in his spam filter, and the theme is typically the same. In one email Salazar received, for instance, a Hong Kong-based electronics firm asked for his firm's representation in order to help it recover money from a delinquent U.S.-based entity, a fairly believable request.
"They ask where I wire the retainer. And it's usually some scam involving getting that account information" in order to steal money, Salazar says. "Here is a blanket email to as many lawyers as they can, and if they have a 1 percent success rate, they are making money, I suppose."