Law firms under cyberattack

In April 2023, Australian law firm HWL Ebsworth was hit by a cyberattack that possibly resulted in data of hundreds of its clients and dozens of government agencies being compromised. The attack was claimed by the Russian-linked ALPHV/Blackcat ransomware group.

“Earlier this month, the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data,” Guardian Australia reported.

Throughout January and February of 2023, eSentire, deflected 10 cyberattacks hitting six different law firms.

“The attacks emanated from two separate threat campaigns. One campaign attempted to infect law firm employees with the GootLoader malware. The other campaign hit law firm employees and other victims with the SocGholish malware,” the company revealed.

In both cases, the malware was distributed via compromised WordPress websites that legal professionals are likely to visit, and was disguised as agreement/contract templates and (fake) Chrome security updates.

Why is a law firm an attractive target for a cyberattack?

As the UK National Cyber Security Centre (NCSC) noted in a recent report focusing on cyber threats to the legal sector, law firms handle sensitive client information that cybercriminals may find useful, including exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice.

The potential consequences of such breaches can be severe, as the disruption of business operations can incur substantial costs. Ransomware gangs specifically target law firms to extort money in exchange for allowing the restoration of business operations.

In 2020, the Solicitors Regulation Authority (SRA) published a cybersecurity review revealing that 30 out of 40 of the law firms they visited have been victims of a cyberattack. In the remaining ten, cybercriminals have directly targeted their clients through legal transactions.

“While not all incidents culminated in a financial loss for clients, 23 of the 30 cases in which firms were directly targeted saw a total of more than £4m [$5m+] of client money stolen,” the SRA noted.

“The financial impact of a loss of data is more difficult to calculate, but we found these often resulted in indirect financial costs. For example, one firm lost around £150,000 [$190,000] worth of billable hours following an attack which crippled their system.”

The importance of maintaining a reputable image also makes legal practices appealing targets for extortion attempts.

Who’s targeting law firms and how?

Law firms are targeted by cybercriminals, who seek to exploit vulnerabilities for financial gain; nation states, interested in gathering intelligence or gaining an advantage in geopolitical conflicts; and hacktivists, who aim to disrupt or expose activities they deem unethical. Law firms also have to worry about insider threats – (former) employees or associates who may misuse or leak sensitive information.

Law firms receive and send a significant number of emails on a daily basis. This high volume of correspondence creates an opportunity for cybercriminals to exploit the situation by leveraging phishing or business email compromise (BEC) attacks, thus stealing sensitive information, such as access credentials, valuable data, or other confidential details.

“Law firms are attractive targets for BEC because they often transfer significant sums of money, or ask to view sensitive documents such as financial records, contracts and designs. They are also generally seen as trustworthy and authoritative, two qualities that attackers can make use of when devising a phishing attack,” the NCSC noted.

Law firms handle highly sensitive information, and cybercriminals exploit this vulnerability by employing ransomware and other malware, expecting that the victims will choose to pay the ransom to prevent the publication of their sensitive data online. They are not wrong: According to recent Trend Micro and Waratah Analytics research, legal firms are more likely to give in to ransom demands when compared to other industries (except the financial industry).

Password attacks are also frequent among law firms, primarily attributed to security vulnerabilities such as password reuse, weak passwords, excessive permissions, open access, and the absence of multi-factor authentication (MFA).

Another vulnerability stems from the reliance of legal practices, particularly smaller ones, on external IT service providers. They often lack the ability to evaluate the security of these systems, making them susceptible to supply chain attacks.

“By far the greatest supply chain issue is a third party failing to adequately secure the systems that hold your sensitive data,” the NCSC noted.

“Whilst you might be implementing cyber security effectively within your own organisation, you’re exposed to numerous risks if your suppliers (or other third party in your supply chain) have not done the same.”

NCSC’s report provides and points to helpful cybersecurity guidance and tools for organizations in the legal sector.