Law Firms Still a 'Great Target' as US Firm Falls Victim to Alleged Chinese Hack
It makes sense that hackers recently went after an unnamed firm known for its IP work, alongside other targets—law firms hold sensitive information for not just one client, but many.
February 21, 2019 at 02:00 AM
4 minute read
The original version of this story was published on The American Lawyer
Law firms continue to be vulnerable to state-sponsored incursions from China, Russia and Iran, as demonstrated by a recent report detailing an alleged Chinese hack into the systems of a U.S. firm known for its expertise in intellectual property.
Internet technology company Recorded Future reported that the unnamed law firm, with clients in the pharmaceutical, technology, electronics, biomedical and automotive sectors, was one of three targets of a group of Chinese hackers between November 2017 and September 2018. The other victims were an international apparel company and a Norwegian cloud services provider.
In all three incidents, researched found that the hackers—a group known as APT10 that is backed by a unit of the Chinese Ministry of State Security—used stolen user credentials to access third-party software used by the companies, and leveraged that access to further encroach upon internal systems.
The law firm was penetrated first, in late 2017, followed by the apparel company a few months later and Norway's Visma in August 2018. In spite of that staggered order, and the fact that Recorded Future research partner Rapid 7 discovered the breach into the apparel company using clues garnered while probing the incursion into the law firm, the attacks were conducted independently of each other.
“It wasn't a cascade,” said Priscilla Moriuchi, director of strategic threat management at Recorded Future. “They were all compromised in parallel.”
As law firms and other businesses are relying more on third-party providers, like remote-access applications Citrix and LogMeIn, they have increased their vulnerability.
And law firms may be especially appealing targets, not because of who they are, but because of the work they do for their clients. (The Recorded Future report described the targeted firm as “a U.S. law firm specializing in intellectual property law” that “has a dedicated China practice aimed at assisting Chinese companies entering the U.S. market.”)
“They are such a great target because they have access to a good deal of non-public information,” Moriuchi said of law firms in general. “Companies may be the ultimate target, and law firms are just a way to get the data.”
This information is appealing not just to criminal entities but also to state actors.
“We talk a lot about intellectual property theft, but for law firms, the type of data they have is a much broader suite of intellectual property,” Moriuchi said, citing strategic plans, details on pending mergers and acquisitions, and documents laying out businesses' legal responsibilities.
“All these things are useful to give an adversary this unfair advantage,” she added.
One example dates back to 2010, when an Australian resources conglomerate was in the midst of an effort to acquire a Canadian producer of potash. Hackers linked to computers in China succeeded in breaching the systems of several Canadian law firms involved in the transaction. Observers speculated that a chemical company owned by the Chinese government would be a loser if the deal went through. But after the hackers gained access to the sensitive information about the transaction, it fell apart.
Just as in the latest cyber attack, the names of those Canadian firms were never revealed. But the high odds that the public will likely never be able to tie a firm to a specific breach should be cold comfort.
“They live in the same threat environment as their clients,” Moriuchi said. “If they work with a lot of defense contractors or aerospace manufacturers or tech companies, those are sophisticated targets for nations like China, Russia and Iran.”
If step one is recognizing that they are desirable targets, step two for firms is to become more vigilant about managing their supply chain—the third-party apps they may rely on to run their systems. One part of this is increased attention to permissions: distinguishing between regular users, administrative users and those who need special access—a process known as network segmentation.
Moriuchi also cautioned that law firms aren't just high-value targets, they are efficient targets, thanks to their large volume of clients.
“Attackers are not just victimizing that firm for one potential target, but for a lot of them,” she said. “They've got an extra responsibility to make sure their networks are protected.”
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250