In one sense, this story from Fortune isn't new. It was heavily reported earlier this year that a series of breaches struck large law firms in 2015, but it now appears that the breaches were far more pervasive than reported and carried out by people with ties to the Chinese government, according to evidence seen by Fortune.
The incidents involved hackers getting into the e-mail accounts of partners at well-known firms, and then relaying messages and other data from the partners' in-boxes to outside servers. In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing about seven gigabytes of data. That figure would typically amount to tens or hundreds of thousands of e-mails.
The information also revealed the thefts took place in one hour increments, and that the hackers returned repeatedly in search of new information. News of the law firm breaches appeared earlier this year when the Wall Street Journal reported that hackers had penetrated the computer networks of Cravath Swaine & Moore, Weil Gotshal & Manges and other unidentified firms.
The earlier news of the law firm breaches did not say who conducted the hacking, but Fortune obtained what it called reliable information that indicates the breaches took place as part of a larger initiative by the Chinese government. This initiative also saw the hackers target big U.S. companies, including a major airline. The 2015 attack reflected familiar patterns of hacking employed by individuals with connections to the Chinese government.
The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the e-mail theft may indeed have been economic in nature. This is no surprise to anyone who has been watching what is going on – economic motives loom large in hacking.
Multiple sources in law enforcement and at the law firms declined to go on record for this story (also not a surprise), but confirmed the role of China in the e-mail hacking campaign. The sources did not wish to speak publicly in part because the events are the subject of a confidential investigation. The office of the U.S. Attorney for the Southern District of New York launched the investigation earlier this year, and it is active and ongoing. A spokesperson for the office declined to comment.
The targets were numerous. In addition to the ones named by the Journal, evidence also shows the hackers tried to target other prominent law firms, including Cleary Gottlieb; Mayer Brown; Latham & Watkins; Covington & Burling; and Davis Polk & Wardell. The hacking attempts did not always succeed as some firms rebuffed the attacks or prevented the attackers from removing any data.
The firms chose not to comment in part because cybersecurity is a sensitive matter and, like other organizations, they do not want to draw attention to themselves—regardless of whether a breach has occurred or not. You have heard me say that many times. Firms generally get "outed" – they don't out themselves.
In the case of successful attacks, firms had deployed firewalls and other measures to guard their networks, but they failed to detect the e-mail-driven attack. Such attacks, known as "spear-phishing," target victims with personalized e-mails.
Meanwhile, there have been fresh attempts to compromise law firms with new forms of phishing attacks. Last week, for instance, New York's Attorney General, Eric Schneiderman warned of a scam that involved sending e-mails to lawyers purporting to be from his office. Similar warning have been issued by a number of states, as I reported yesterday.
This is my first hat tip to Jim Calloway, my co-host on the Legal Talk Network's Digital Edge podcast. Jim usually gets his cybersecurity news from me – but thanks for catching this one early Cowboy!
And if you're still shopping for holiday tech toys, well that's what our latest podcast highlights - complete with sound effects. Go have fun – after all, 'tis the season!
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology