'Dark Overlord' Hack Shows Mounting Cyber Risks for Law Firms
The hacker group wants ransom payments from dozens of firms involved in the Sept. 11 litigation, and experts warn that more attacks are coming.
January 07, 2019 at 04:05 PM
8 minute read
Dozens of law firms had their hands in the sprawling litigation that stemmed from the Sept. 11, 2001, attacks on the World Trade Center in New York City.
They represented a sweeping array of entities: first responders seeking compensation for exposure to contaminants at the site, the owner of the towers looking to collect from the airlines that let the hijackers on board, victims looking to haul the government of Saudi Arabia into U.S. court, and others.
Leaders of those law firms are all likely scratching their heads about how to handle a recent announcement from a nebulous hacker entity calling itself the Dark Overlord, which claims to be in possession of 18,000 legal and insurance documents pertaining to the court fight.
How the Dark Overlord obtained the material is still unclear. It says it hacked insurers Hiscox and Lloyd's of London, as well as World Trade Center owner Silverstein Properties. Hiscox, meanwhile, has pinned the breach on an unidentified “specialist” law firm that advised it and other insurers, as well as some of its commercial policyholders.
There might have been other points of access, which the Dark Overlord is keeping under wraps. Obviously, no one—including law firms, insurers or others in the mix—is owning up to the breach. ”That's a reputational issue and a stance that they have to take,” said Tom Ricketts, executive director at Aon Professional Services. “There is no certainty as to where the Dark Overlord has obtained the materials.”
What's clear is that the Dark Overlord does have some material. It has released over 45 documents, ranging from pleadings and opinions readily accessible from the federal court docket, invoices to clients, emails between parties in the litigation, to discovery material that's marked confidential.
And the hacker is also open about its aims: it wants the law firms—along with insurers, investment banks, law enforcement agencies involved in the investigation into the attacks, and other parties with documents in the mix—to pay up in order to make sure the material doesn't see the light of the day. At the same time, it says it's offering the world—or more specifically terrorist groups like Al-Qaeda, ISIS, rival nation states like Russia and China and anyone else willing to pay—the “truth” about “one of the most recognisable incidents in recent history.”
|Law Firms in the Crosshairs
In a sense, the Dark Overlord has fused the information-seizing-and-publicizing strategy pioneered by Wikileaks with the desire to cash in that's at the core of traditional ransomware attacks, where hackers encrypt a target's files and shut them out until they make a payment, usually via Bitcoin. In previous hacks, the hacker has targeted Netflix and other studios including ABC, HBO, and CBS, threatening to release episodes if the ransom isn't paid.
Now, law firms are in the line of fire.
“Hackers often want to expose things of value to them or others, and this fits in the sad but predictable pattern of hackers doing just that,” said Crowell & Moring cybersecurity partner Paul Rosen, formerly chief of staff at the Department of Homeland Security and a federal prosecutor.
One obvious takeaway from the breach: Firms connected to the Sept. 11 litigation would be wise to undertake an immediate audit of their data systems, both to probe the possibility that they were a weak link exploited by the Dark Overlord and to forestall the prospect of future incursions.
But the Dark Overlord's hack presents not just an immediate dilemma for firms connected to the Sept. 11 litigation, but a broader challenge for all law firms, which are in a unique position: Not only are they under an obligation to their clients to protect their confidential and sensitive materials, but they also rely on their own service providers, who might have their own vulnerabilities. Furthermore, the everyday business of lawyers involves sensitive communications with co-counsel, opposing counsel, third-party witnesses and law enforcement agencies.
“There's all sorts of external entities that law firms may have to engage in communications with, and if those are obtained by a hacker, at the very least it's embarrassing, but also quite damaging, not just to the firm but also to its clients,” said Steptoe & Johnson cybersecurity partner Michael Vatis. “The duties for a law firm go far beyond making sure its own networks and data responsibilities are kept securely.”
U.K.-based insurer Beazley issued a report in October finding that professional services were the second most targeted industry for ransomware attacks, trailing health care.
“We have really now started to scratch the surface of the exposures that law firms have. There is no question that the bad actors are really beginning to understand just how valuable the information that law firms hold is,” Ricketts said. “It is making law firms more of a target and is making hackers a lot more sophisticated in how they leverage this information.”
Just as audits should be on the mind of decision-makers in all firms, not just those immediately affected, so should the question of cybersecurity insurance. According to Ricketts, extortion—where confidential data has been breached and is being held to ransom—is one of the five principal areas covered by cybersecurity policies. But how different policies treat the matter varies.
Most, said Ricketts, will pay for a third party digital forensics firm to investigate and determine whether or not the firm's systems were hacked. A smaller set of policies, however, won't kick in except in the event of a proven breach.
Even if there's no breach, firms then have to wrestle with the question of the ransom. The Dark Overlord has provided no details on what it's seeking, save for the indication it wants to be paid in Bitcoin. But ransom demands are swelling, with Beazley reporting a highwater mark of $2.8 million.
If a firm is lucky, even if its not responsible for the breach, its cyberinsurance policy may help out here, too. While some policies depend on an actual breach, others are predicated on a firm's liability or responsibility for confidential information. In that circumstance, the insurer would take on the task of investigating the ransom demand and negotiating a payment.
There's another scenario as well. A firm might also have a kidnap, ransom and extortion policy that would cover the hacker's demand.
“The firm is going to have to do a lot of work with their broker to analyze the two polices, determine how they're interrelated and analyze what sort of response is going to have to be employed,” Ricketts said.
Whether it's the insurer or the firm itself that elects to negotiate with hackers, they need to keep several things in mind: “The party that's seeking your ransom is a thief,” said Barry Temkin, a partner at Mound Cotton Wollan & Greengrass and an expert on professional responsibility. Consequently, the success of the effort depends on an unethical actor behaving honestly.
“What I've heard anecdotally: There is a certain amount of honor among thieves,” Temkin added.
To hear the Dark Overlord tell the story, its hack is currently in the public eye because someone else failed to act honorably. The hacker claims that it was first introduced to the cache of 9/11 documents via a hack into a “seemingly ordinary company located in the United States.” That company allegedly complied with an initial ransom request, before taking the matter to law enforcement, violating what the hacker said were the terms of the deal.
“We were absolutely appalled by this transgression against our agreement. We decided to offer this company a second chance to repent, accept responsibility, and satisfy our penalty request. They declined to accept our offer, so we're here today,” the group said.
Another wrinkle in ransom payments comes from the ambiguous identity of a given hacker. While one associate in cybercrime has pegged the Dark Overlord as a group of three individuals between ages 20 and 40, there's always the prospect that an anonymous hacker could be a sanctioned entity or regime. Making payments to a member of the designated terrorist could invite legal trouble.
Luckily, those in positions of power in this industry have gotten where they are in part because of their skill in weighing competing theories and forms of evidence.
“The decision about whether to pay a ransom for the return or release of data is often a business one, after appropriately evaluating the legal, practical and associated risks,” Rosen warned.
Read More:
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'Further Investment in Power' Will Drive Big Law Business—But What About Clean Energy Projects?
6 minute readLegal Departments Gripe About Outside Counsel but Rarely Talk to Them
4 minute readAs Profits Rise, Law Firms Likely to Make More AI Investments in 2025
Trending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250