'Dark Overlord' Hack Shows Mounting Cyber Risks for Law Firms
The hacker group wants ransom payments from dozens of firms involved in the Sept. 11 litigation, and experts warn that more attacks are coming.
January 08, 2019 at 01:00 AM
8 minute read
The original version of this story was published on The American Lawyer
(Image: Shutterstock.com)
Dozens of law firms had their hands in the sprawling litigation that stemmed from the Sept. 11, 2001, attacks on the World Trade Center in New York City.
They represented a sweeping array of entities: first responders seeking compensation for exposure to contaminants at the site, the owner of the towers looking to collect from the airlines that let the hijackers on board, victims looking to haul the government of Saudi Arabia into U.S. court, and others.
Leaders of those law firms are all likely scratching their heads about how to handle a recent announcement from a nebulous hacker entity calling itself the Dark Overlord, which claims to be in possession of 18,000 legal and insurance documents pertaining to the court fight.
How the Dark Overlord obtained the material is still unclear. It says it hacked insurers Hiscox and Lloyd's of London, as well as World Trade Center owner Silverstein Properties. Hiscox, meanwhile, has pinned the breach on an unidentified “specialist” law firm that advised it and other insurers, as well as some of its commercial policyholders.
There might have been other points of access, which the Dark Overlord is keeping under wraps. Obviously, no one—including law firms, insurers or others in the mix—is owning up to the breach. ”That's a reputational issue and a stance that they have to take,” said Tom Ricketts, executive director at Aon Professional Services. “There is no certainty as to where the Dark Overlord has obtained the materials.”
What's clear is that the Dark Overlord does have some material. It has released over 45 documents, ranging from pleadings and opinions readily accessible from the federal court docket, invoices to clients, emails between parties in the litigation, to discovery material that's marked confidential.
And the hacker is also open about its aims: it wants the law firms—along with insurers, investment banks, law enforcement agencies involved in the investigation into the attacks, and other parties with documents in the mix—to pay up in order to make sure the material doesn't see the light of the day. At the same time, it says it's offering the world—or more specifically terrorist groups like Al-Qaeda, ISIS, rival nation states like Russia and China and anyone else willing to pay—the “truth” about “one of the most recognisable incidents in recent history.”
Law Firms in the Crosshairs
In a sense, the Dark Overlord has fused the information-seizing-and-publicizing strategy pioneered by Wikileaks with the desire to cash in that's at the core of traditional ransomware attacks, where hackers encrypt a target's files and shut them out until they make a payment, usually via Bitcoin. In previous hacks, the hacker has targeted Netflix and other studios including ABC, HBO, and CBS, threatening to release episodes if the ransom isn't paid.
Now, law firms are in the line of fire.
“Hackers often want to expose things of value to them or others, and this fits in the sad but predictable pattern of hackers doing just that,” said Crowell & Moring cybersecurity partner Paul Rosen, formerly chief of staff at the Department of Homeland Security and a federal prosecutor.
One obvious takeaway from the breach: Firms connected to the Sept. 11 litigation would be wise to undertake an immediate audit of their data systems, both to probe the possibility that they were a weak link exploited by the Dark Overlord and to forestall the prospect of future incursions.
But the Dark Overlord's hack presents not just an immediate dilemma for firms connected to the Sept. 11 litigation, but a broader challenge for all law firms, which are in a unique position: Not only are they under an obligation to their clients to protect their confidential and sensitive materials, but they also rely on their own service providers, who might have their own vulnerabilities. Furthermore, the everyday business of lawyers involves sensitive communications with co-counsel, opposing counsel, third-party witnesses and law enforcement agencies.
“There's all sorts of external entities that law firms may have to engage in communications with, and if those are obtained by a hacker, at the very least it's embarrassing, but also quite damaging, not just to the firm but also to its clients,” said Steptoe & Johnson cybersecurity partner Michael Vatis. “The duties for a law firm go far beyond making sure its own networks and data responsibilities are kept securely.”
U.K.-based insurer Beazley issued a report in October finding that professional services were the second most targeted industry for ransomware attacks, trailing health care.
“We have really now started to scratch the surface of the exposures that law firms have. There is no question that the bad actors are really beginning to understand just how valuable the information that law firms hold is,” Ricketts said. “It is making law firms more of a target and is making hackers a lot more sophisticated in how they leverage this information.”
Just as audits should be on the mind of decision-makers in all firms, not just those immediately affected, so should the question of cybersecurity insurance. According to Ricketts, extortion—where confidential data has been breached and is being held to ransom—is one of the five principal areas covered by cybersecurity policies. But how different policies treat the matter varies.
Most, said Ricketts, will pay for a third party digital forensics firm to investigate and determine whether or not the firm's systems were hacked. A smaller set of policies, however, won't kick in except in the event of a proven breach.
Even if there's no breach, firms then have to wrestle with the question of the ransom. The Dark Overlord has provided no details on what it's seeking, save for the indication it wants to be paid in Bitcoin. But ransom demands are swelling, with Beazley reporting a highwater mark of $2.8 million.
If a firm is lucky, even if its not responsible for the breach, its cyberinsurance policy may help out here, too. While some policies depend on an actual breach, others are predicated on a firm's liability or responsibility for confidential information. In that circumstance, the insurer would take on the task of investigating the ransom demand and negotiating a payment.
There's another scenario as well. A firm might also have a kidnap, ransom and extortion policy that would cover the hacker's demand.
“The firm is going to have to do a lot of work with their broker to analyze the two polices, determine how they're interrelated and analyze what sort of response is going to have to be employed,” Ricketts said.
Whether it's the insurer or the firm itself that elects to negotiate with hackers, they need to keep several things in mind: “The party that's seeking your ransom is a thief,” said Barry Temkin, a partner at Mound Cotton Wollan & Greengrass and an expert on professional responsibility. Consequently, the success of the effort depends on an unethical actor behaving honestly.
“What I've heard anecdotally: There is a certain amount of honor among thieves,” Temkin added.
To hear the Dark Overlord tell the story, its hack is currently in the public eye because someone else failed to act honorably. The hacker claims that it was first introduced to the cache of 9/11 documents via a hack into a “seemingly ordinary company located in the United States.” That company allegedly complied with an initial ransom request, before taking the matter to law enforcement, violating what the hacker said were the terms of the deal.
“We were absolutely appalled by this transgression against our agreement. We decided to offer this company a second chance to repent, accept responsibility, and satisfy our penalty request. They declined to accept our offer, so we're here today,” the group said.
Another wrinkle in ransom payments comes from the ambiguous identity of a given hacker. While one associate in cybercrime has pegged the Dark Overlord as a group of three individuals between ages 20 and 40, there's always the prospect that an anonymous hacker could be a sanctioned entity or regime. Making payments to a member of the designated terrorist could invite legal trouble.
Luckily, those in positions of power in this industry have gotten where they are in part because of their skill in weighing competing theories and forms of evidence.
“The decision about whether to pay a ransom for the return or release of data is often a business one, after appropriately evaluating the legal, practical and associated risks,” Rosen warned.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1'Something Else Is Coming': DOGE Established, but With Limited Scope
- 2Polsinelli Picks Up Corporate Health Care Partner From Greenberg Traurig in LA
- 3Kirkland Lands in Phila., but Rate Pressure May Limit the High-Flying Firm's Growth Prospects
- 4Davis Wright Tremaine Turns to Gen AI To Teach Its Associates Legal Writing
- 5'Battle of the Experts': Bridgeport Jury Awards Defense Verdict to Stamford Hospital
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
