Sector 17 1 TABLE of CONTENTS

BlueVoyant | Sector 17 1 TABLE OF CONTENTS

Executive Summary 3

Key Findings 4

Part 1: Industry Overview 5

Part 2: Threat Landscape 7 Section 1: Criminal Pursuit of Sensitive Financial Information 7 Section 2: Extortion (Non-Ransomware) 9 Section 3: Ransomware 10 Section 4: Criminal Pursuit of PII 11 Section 5: Third-Party Risks 12 Section 6: Password Breaches and Leaks 14 Section 7: Hacktivism 16

Part 3: Dark Web Overview 18

Part 4: Industry Cybersecurity Review 24 Section 1: Legal Sector Overview – Global 24 Section 2: Legal Sector Overview – In Depth 25

Conclusion - Sector 17 28

Citations and Endnotes 29

Recommendations 30

BlueVoyant | Sector 17 2 EXECUTIVE SUMMARY

In 2013, the Department of Homeland Security defined 16 sectors critical to securing national infrastructure, resources, and resiliency1. BlueVoyant, a company made up of seasoned cybersecurity experts, including former leaders in our intelligence and law enforcement communities, has identified one more: the legal sector.

The integrity of U.S. and international law firms is indispensable ot the functioning of our economies and key public and private institutions. The legal sector ensures justice and order, as well as providing mechanisms that encourage and safeguard innovation and economic growth. The lawyers who help interpret, apply, and enforce the law necessarily become trusted advisors to individuals and corporations. Like healthcare institutions, law firms hold troves of personally identifiable information (PII); they also hold critical intellectual property (IP) and sensitive data for clients. Like banks and credit unions, law firms are critical to the proper functioning of our economy. And like no other sector, except perhaps government, law firms act as a major arbiter and safekeeper of public trust.

Like many of these critical industries, the legal industry is under constant threat. Attacks on law firms have had some of the most devastating and wide-ranging effects of any cyber event in history. The 2016 ‘Panama Papers’ attack on Mossack Fonseca still affects international policy around tax havens and corporate responsibility; the 2017 ransomware attack on DLA Piper exposed the record-breaking financial and reputational costs associated with a successful cyber attack.

This report outlines the state of cybersecurity in the legal sector as of the first quarter of 2020. BlueVoyant’s global analysis found an industry that is advanced: only slightly behind finance, which is historically top among private sector industries for cybersecurity. At the same time, BlueVoyant saw multifaceted, persistent, and aggressive threats, equal to or beyond the sector’s advanced cyber defense. And despite the evident best efforts of law firms both big and small, BlueVoyant observed evidence of compromise in law firms around the world – as described herein, more than half showed some sign of compromise.

Our findings are designed to support and empower law firms globally. By recognizing the legal sector as critical to national and international defense and infrastructure, BlueVoyant aims to put a spotlight on measuring and improving cybersecurity across the legal sector.

All evidence shows that law firms are rising to meet the threats in front of them. BlueVoyant is committed to supporting law firms globally. We believe they are members of a critical sector and, as our report will reveal, we will support them by plainly identifying risks, and by monitoring and stopping threat actors as they emerge.

BlueVoyant | Sector 17 3 KEY FINDINGS

Law firms are a critical industry that possess high-value information.

Law firms today make up an $800B industry, and a surge in investment into legal platforms and technology ensures it will only get bigger. Not only are law firms a massive and important line of business, but they also provide services essential for any nation to function: maintaining justice and economic order. At the same time, given their systems house stockpiles of PII, as well as sensitive corporate and political data, law firms are very attractive targets for nation-state actors and advanced cybercriminal networks motivated by geopolitical and financial ends.

Collectively, law firms make up one of the most advanced and proactive sectors when it comes to the strength of cybersecurity.

As compared to the first 16 sectors, the legal sector earned a risk rating close to sectors like finance and energy: sectors typically considered the most advanced and sophisticated in terms of cyber defense. Benchmarks consistently revealed above-average defensive postures, as well as excellent cybersecurity practices and configurations.

In spite of these positive findings, threat targeting against law firms globally is aggressive, constant, and multifaceted.

While legal cyberdefenses are generally robust, so too are the motivations of their adversaries and the attacks waged against them. Using both unique visibility into global internet traffic and deep and dark web surveillance, BlueVoyant observed millions of threats targeting the legal sector. These threats were not only high-volume and constant, amounting to hundreds of thousands of attempted attacks against law firms daily; they were also highly targeted, as evidenced by numerous engagements with threat actors on the deep and dark web. Threat actors steal and abuse credentials; probe for network vulnerabilities; use anonymizing tools and proxies; and make use of persistent, advanced tactics in order to ‘crack’ law firms around the world.

Despite the best efforts of law firms globally, BlueVoyant analysis discovered non- trivial evidence of compromise – from the largest, most sophisticated global firms to mid-tier and boutique practices.

Our global survey of internet traffic showed evidence of possible compromise originating from law firms around the world. More concerning, an in-depth analysis of 20 representative law firms showed that 3 out of 20 showed strong evidence of compromise - a total of 15% - while a further 9 firms had evidence of suspicious traffic.

BlueVoyant | Sector 17 4 Part 1: Industry Overview

Law is big business, and getting bigger. Law firms made up a US $800 billion industry in 20182. And Forbes pointed out that that was just the start: over the course of 2018 alone, the legal industry saw an astonishing 718% increase in investment3. This makes law firms ripe targets for financially-motivated attacks, such as ransomware, blackmail, and fraud schemes.

The Shape of Risk Across the board, however, whether a top 50 global firm or a regional market player, cybersecurity threats to law firms have grown rapidly. In a 2017 survey, one in five law firms reported breaches4. By 2019, that number grew to 26%5. According to the 2019 PwC Law Firms’ survey, 100% of Top 100 law firms experienced some cyber event6.

Law firms are specifically targeted because they hold sensitive corporate or geopolitical data on their clients. Desire to obtain this information has driven many of the major law firm attacks over the last decade – attacks that have embarrassed the industry and put tremendous pressure on firms to avoid being the next Mossack Fonseca or DLA Piper.

Examples of highly publicized breaches since 2012:

• 2012: Wiley Rein is hacked by a Chinese nation-state APT for IP related to a client developing solar panels • 2014: Thirty-Nine Essex Street (UK) is hacked by a Russian APT linked to economic espionage • 2016: The Mossack Fonseca ‘Panama Papers’ breach, exposes 11.5 million documents linked to tax avoidance and tax evasion, leading to one of the most significant data leaks ever • 2017: DLA Piper is hit with the NotPetya ransomware, which rapidly spreads throughout firm servers and nearly shuts down the business - causing enormous damages in direct and indirect costs • 2019: The ‘9/11 Papers’ attack executed by a hacking group known as The Dark Overlord successfully steals data from several law firms and threatens to release it, citing embarrassing information about planning projects after 9/11 • 2020: The ‘Luanda Leaks’, a data trove incriminating the former President of Angola - the result of an attack by a Portuguese hacker on several banks and law firms

These attacks, motivated variously by financial gain (as in the case of DLA Piper), or espionage (as in the case of Wiley Rein), or hacktivism (as in the 9/11 Papers), all hold two things in common: they all achieved national or international notoriety; and they all caused extreme damage or closure to the law firms affected.

BlueVoyant | Sector 17 5 Part 1: Industry Overview

Improvements in Cybersecurity Practice Thankfully, the increase in cyber events has led to a corresponding improvement in practice: in 2017 many law firms didn’t employ a dedicated Chief Information Security Officer (CISO)7, whereas today the practice is nearly universal. These changes in cybersecurity management are driven by cost, and by the public nature of many major breaches8, but they are also driven by pressure from clients. One CISO from a top-20 law firm told us, “One of the reasons that we have good policies and procedures in place is because they are driven by financial institutions. They audit us to make sure that we meet their own internal standards, or better.”

The advanced cyber hygiene displayed by most global law firms is also a by-product of a rapidly- changing regulatory and litigation landscape. Historically, lawyers were only bound by broad ethical edicts, such as the ABA’s Model Rules of Professional Conduct – in particular 1.1 (and 1.6c): “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” More recently, such rules have expanded – for example the ABA Standing Committee on Ethics and Professional Responsibility9 has issued guidance and issued formal opinions, especially Formal Opinion 483 which addresses the obligations after a cyber attack10.

Increasingly, however, codes of conduct are giving way to legislation defining proper data privacy and stringent breach disclosure requirements. The introduction of the European General Data Protection Regulation (GDPR) in 2018 marked sweeping changes to the way firms globally store and share private data. Other countries are following suit: Brazil’s national data protection law, modeled after the GDPR, takes effect in August 2020. In the U.S., states have passed progressively broader legislation on the handling of personal data and breaches (for example, the edicts outlined in the 2019 NY Shield Act)11. Federal lawmakers continue to call for a country- wide data protection law as well.

BlueVoyant | Sector 17 6 Part 2: Threat Landscape

The threat landscape facing law firms is verdant, with threat actors using varied tactics, of varied sophistication, for different ends. And those tactics, techniques, and protocols - TTPs - constantly evolve to stay ahead of cyber defense measures.

The costs associated with a network compromise event are enormous. Expenses after an incident can include the public relations response, ransom payment, legally-required notification costs, cyber forensics analysis, threat hunt operations, and attorneys’ fees. This year, there have been a number of major legal actions filed against hospitals and other institutions after a data breach. And this is all in addition to the immeasurable damage suffered to reputation and client trust.

This section outlines different kinds of threats facing law firms, including recent and current examples. The different examples show an active ecosystem of threat actors, as well as (in detail) the huge potential losses from a successful cyber attack.

Even if the matter is handled exclusively internally, the costs can skyrocket. One international law firm paid its internal IT team 15,000 hours of overtime to recover their network from the global NotPetya ransomware infection of 2017. In that instance, a team member claimed that the infection was introduced via a supplier, highlighting the contemporary need for security offerings such as third-party risk assessment. In today’s world, the boundaries of cybersecurity no longer end at the firm’s network edge.

Section 1: Criminal Pursuit of Sensitive Financial Information

Unlike a breach involving PII, security incidents in which business information is compromised do not necessarily trigger legally-mandated notification requirements. Therefore, statistics gauging the frequency and severity of these breaches is incomplete. Sensitive financial or business intelligence information may be exfiltrated without the incident ever surfacing in newspapers or government statistics. The threat is larger and more present than the shadow it casts.

2016 marked one of the most explosive insider trading infiltrations to date when two of New York’s premier law firms were compromised. The Southern District of New York ultimately indicted three individuals who, according to prosecutors, made more than $4M by leveraging pilfered insider information to place advantageous stock trades12.

...the defendants devised and carried out a scheme to enrich themselves by obtaining and trading on material, nonpublic information (“Inside Information”), exfiltrated from the networks and servers of the Victim Law Firms, concerning M&A transactions.

BlueVoyant | Sector 17 7 Part 2: Threat Landscape

Then-US Attorney Preet Bharara made it very clear: “This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals.”

Examples of Insider Trading Evidence:

The 2016 insider trading indictment filed by the US Southern District of New York

Landing page for the dark web forum “The Stock Insiders”, where presumably insider information is shared amongst a small group of financially motivated cybercriminals. Depending on their areas of practice, law firms can be custodians of troves of pre-public financial information.

BlueVoyant | Sector 17 8 Part 2: Threat Landscape

Section 2: Extortion (Non-Ransomware)

Law firms also stand to lose from malicious, independent hacker operations. The Dark Overlord (aka “TDO”) was a prolific cyber extortion collective most active in 2018. In addition to extorting clinics and insurance groups whose networks they had penetrated, TDO stole and published litigation documents pertaining to the 9/11 attacks in the United States. The leaks contained what appear to be scans of memos, draft work, and other sensitive legal information exchanged between international law firms. Though some of the information in the leak is procurable via public means, other materials appear to be discovery documents marked confidential13.

Mature hacker groups continue to pose a threat to the legal industry. Law firms are the custodians of sensitive information that can be leveraged by cybercriminals to reap enormous financial gains by extortion. Trade secrets, pre-public market information, and litigation documents will continue to be the target of high-level shakedown artists. Their compromise could potentially decimate a firm’s reputation, incur massive expenses such as GDPR fines or legal repercussion expenses, and therefore, jeopardize entire practices.

Examples of Insider Trading Evidence:

Left: Avatar image for the notorious hacker group The Dark Overlord aka “TDO”. Right: BlueVoyant analysts acquired the TDO 9/11 leak and observed scans of sensitive international law firm memos pertinent to ongoing litigation. Redactions by BlueVoyant.

BlueVoyant | Sector 17 9 Part 2: Threat Landscape

Section 3: Ransomware

Ransomware has resurged as an existential threat to business. As of late 2019, it is reasonable to assume many ransomware attacks have exfiltrated corporate data in addition to encrypting networks and rendering entire firms supine. Ransomware tactics have evolved such that many major ransomware operations have built-in data exfiltration operations that take effect before they encrypt a network, driven by innovative ransomware groups such as Maze and the ransomware-as-a-service (RaaS) model. One of the rising major ransomware operations, the DoppelPaymer group, claimed to cybersecurity researchers that they have been exfiltrating data and selling it on dark web markets before this trend became a known criminal standard, ostensibly to “cover some costs”14. This claim reinforces the necessity of taking a legal posture that all ransomware attacks must be treated as data breaches.

This evolution in TTPs has advanced sufficiently that it is no longer a theoretical proposition.

Examples of Ransomware Activity:

BlueVoyant Cyber Threat Analysts locate and monitor the ransomware gang’s extortion blogs for threat intelligence.

The DoppelPaymer publication/extortion site warning to victim organizations.

BlueVoyant | Sector 17 10 Part 2: Threat Landscape

Examples of Ransomware Activity:

BlueVoyant Cyber Threat Analysts observed another prolific ransomware gang, Pinchy Spider, the operators of the Sodinokibi (aka REvil) malware family, posting sensitive victim information to their publication/extortion site. This posting includes an explicit threat to sell the exfiltrated data and shows documents that appear to include highly sensitive financial and accounting information. Redactions by BlueVoyant.

Section 4: Criminal Pursuit of PII

It goes without saying that PII continues to be one of the most criminally monetizable, and therefore sought-after, kinds of data. One of the dark web’s most enduring and robust illicit economies is the trafficking of information that can be leveraged in identity fraud schemes. All law firms are custodians to some amount of PII and, depending on the practice’s focus, can be responsible for terabytes of criminally monetizable PII.

BlueVoyant | Sector 17 11 Part 2: Threat Landscape

Examples of PII on the Dark Web:

B# BIN Bank Level Credit Country State City Zip DOB? SSN? Email? Phone Address F.Name Ref.? Price

20493 379134 [...] – Classic Credit US --- 80127 (Littleton) Littleton [---} – Yes – -– 1 Yes $12.00 20493 445831 [...] Bank of America, N.a. Classic Credit US --- 85254 (Scottsda) Scottsda [---} – Yes – – 5 Yes $12.00 20493 235786 [...] Bank of America, N.a. Classic Credit US --- 90245 (El Segu) El Segu [---} – Yes – – 3 Yes $12.00 20493 598752 [...] Chase Bank Usa, N.a. Ccsg Lendi Credit US --- 80206 (Denver) Denver [---} – Yes – – 6 Yes $12.00 20493 359788 [...] American Express Co - Credit US --- 56551 (Henning) Henning [---} – Yes – – 9 Yes $12.00 20493 212124 [...] American Express Usa - Credit US --- 77354 (Magnoli) Magnolia – Yes – – 1 Yes $12.00 20493 945745 [...] Credit One Bank, N.a. Classic Credit US --- 51103 (Sioux Ci) [---} – Yes – – 1 Yes $12.00 20493 335337 [...] Bank of America - Credit US --- 19145 (Philadel) Sioux Cit [---} – Yes – – 7 Yes $12.00 20493 158567 [...] Jpmorgan Chase Bank, Classic Credit US --- 76656 (Lott) Philadelp [---} – Yes – – 5 Yes $12.00 20493 369852 [...] Worlds Foremost Bank Ccsg Lendi Credit US --- 48103 (Ann Arb) Lott [---} – Yes – – 6 Yes $12.00 20493 741147 [...] American Express Usa Consumer Credit US --- 57104 (Sioux Fa) Ann Arbo – Yes – – 7 Yes $12.00 20493 486245 [...] Credit One Bank, N.a. L Credit US --- 43053 (New Alb) [---} – Yes – – 2 Yes $12.00 20493 913757 [...] Bank of America Classic Credit US --- 70634 (Deridde) Sioux Fal [---} – Yes – – 1 Yes $12.00 20493 642857 [...] Jpmorgan Chase Bank, Classic Op- Credit US --- 23117 (Mineral) New Alba – Yes – – 3 Yes $12.00 20493 938276 [...] Chase Bank Usa, N.a. tima Credit US --- 28202 (Charlotte) [---} – Yes – – 9 Yes $12.00 20493 257951 [...] Chase Bank Usa, N.a. Classic Credit US --- 53042 (Kiel) Deridder [---} – Yes – – 4 Yes $12.00 20493 357946 [...] Bank of America, N.a. - Credit US --- 47172 (Sellersb) Mineral [---} – Yes – – 8 Yes $12.00 20493 261542 [...] Chase Bank Usa, N.a. Classic Credit US --- 25173 (Trussvill) Charlotte [---} – Yes – – 2 Yes $12.00 20493 938276 [...] American Express Co- Classic Credit US 70634 (Deridde) Kiel [---} – Yes – – Yes $12.00 20493 257951 [...] Chase Bank Usa, N.a. Optima Credit US 23117 (Mineral) Sellersbu [---} – Yes – – Yes $12.00 20493 357946 [...] Chase Bank Usa, N.a. Classic Credit US 28202 (Charlottt) Trussville [---} – Yes – – Yes $12.00 20493 261542 [...] Bank of America, N.a. - Credit US 53042 (Kiel) Charlotte [---} – Yes – – Yes $12.00 20493 938276 [...] Chase Bank Usa, N.a. Classic Credit US 47172 (Sellersb) Kiel [---} – Yes – – Yes $12.00 20493 257951 [...] American Express Co Classic Credit US 25173 (Trussvill) Sellersbu [---} – Yes – – Yes $12.00 20493 357946 [...] American Express Co Classic Credit US 127 (Littleton) Trussville [---} – Yes – – Yes $12.00

“Fullz” information for sale on Jokers’ Stash - the most notorious online marketplace for PII. Credit card information is available for purchase along with a victim’s full name, home address, SSN, and sometimes phone numbers, email addresses, and other information. Redactions by BlueVoyant.

Similarly, tax information can be stolen and used to commit tax identity fraud. Forms W-2 have been known to be taken from high-profile law firms and used to file for tax refunds in the victims’ names15. Like so many high-profile cybercriminal achievements, this scheme was perpetrated by a phishing email masquerading as an executive-level request. PII can be breached via email inbox compromise, social engineering attacks, ransomware exfiltration, and by other means.

Section 5: Third-Party Risks

The practice of law inherently involves close cooperation with external parties. Legal teams routinely communicate with third-parties, including clients, adversarial and cooperative outside counsel, law enforcement, vendors, and other regular business partners. Law firms, however, face a higher ethical and legal responsibility to protect client information than most other sectors.

BlueVoyant | Sector 17 12 Part 2: Threat Landscape

Managed IT service providers (MSPs) - who provide hardware, software, and general service support - are now considered to be a critical point of failure for countless network intrusions in 2019. MSPs fulfill all of the criteria of the ideal ransomware victim. They conduct many of their key functions using RDP (Remote Desktop Protocol), which continues to be the primary foothold for ransomware attackers. Because their services are often essential to business operations for an extensive array of clients, they are confronted with both restoration urgency and a need for quiet resolution of their forced encryption (via ransomware).

Furthermore, law firms rely on a wide range of software and applications to conduct their operations. It is a general truth that the more complicated a system becomes, the more opportunity for exploitation it faces. For this reason, law firms and legal service businesses tend to have much larger “attack surfaces.”

Examples of Ransomware Theft:

The Sodinokibi ransomware criminal organization, Pinchy Spider, posted victim documents that contained a folder labeled “Henderson Legal Services (HLS),” a national litigation support services firm. BlueVoyant analysts constantly monitor these new publication/extortion sites for threat intelligence. Redactions by BlueVoyant.

In March 2020, the law firm Epiq was struck by Ryuk ransomware, which halted their operations. This type of malware is designed and deployed by a threat group, ‘Wizard Spider’, known for including information stealers with their ransomware. It must be a general assumption moving forward that all ransomware has the built-in capability to exfiltrate data as well as hold it hostage.

BlueVoyant | Sector 17 13 Part 2: Threat Landscape

Of course, documents and records acquired during the discovery phase of any legal dispute are among the most sensitive materials in the possession of law firms and legal services firms. A case’s outcome can hinge on the strategic planning that occurs during discovery. Moreover, discovery documents often contain information that is sensitive beyond the scope of the litigation matter - be it financial, intellectual property, or PII.

Law firms can help themselves by standing behind their recommendations, tackling cyber risks immediately. As seen below, a tweet from Epiq prior to their breach.

Discovery law firm, Epiq, tweets “now is the time to be proactive” about cybersecurity less than a month before the firm is struck with Ryuk ransomware. The tweet was later deleted.

Section 6: Password Breaches and Leaks

Over the years, the ceaseless onslaught of data breaches and leaks have inured the public to the urgency of account security. Even large-scale compromise events tend to receive no more than a resigned shrug. Unfortunately, these incidents continue to provide attackers ways into corporate networks that have devastating consequences for law firms and legal services.

As an original case study for this report, BlueVoyant selected five premier New York City-based law firms for password compromise analysis. In this limited sample of five law firms, analysts assessed that compromised business email addresses were implicated in 86 distinct breach events from as far back as December 4, 2013 to as recently as February 7, 2020. Among the five law firms, corporate domain email addresses were compromised in breach/leak events in 27,080 distinct instances.

BlueVoyant | Sector 17 14 Part 2: Threat Landscape

Threat actors buy and share these credentials in order to compromise networks, and while many businesses require that employees change account passwords on a regular basis, many do not. Even when employee accounts do change passwords, threat actors will use these databases to mount credential stuffing attacks. A credential stuffing attack is where automated bots use stolen email and password combinations from different online accounts - counting on people to reuse passwords across accounts. They can use one account’s credentials to gain access to another.

Among these many breaches, BlueVoyant analysts noted corporate domain email addresses compromised in the Adult Friend Finder and Ashley Madison breaches. This troubling finding indicates that law firm employees are using their business email addresses to register for personal services at work. Computer gaming, online shopping, social media, and other non-work data compromise events were also observed in abundance.

In addition to email address password formatted lists, known as “combolists”, these data compromise events can reveal additional information to attackers that can contribute to further attacks. For example, some breaches or leaks contain information that is invaluable to social engineering schemes, drafting convincing phishing emails, or otherwise posing as an authorized network user. The infamous Ashley Madison cheaters’ service leak contained potential blackmail on individuals with law-related usernames or even law firm email addresses.

Compromised Data

• Date of Birth • Passwords • Security Questions & • Email • Payment Answers Addresses Histories • Sexual • Ethnicities • Phone Orientations Numbers • Genders • Usernames • Physical • Names Addresses • Website Activity

BlueVoyant | Sector 17 15 Part 2: Threat Landscape

Section 7: Hacktivism

An actor operating under the alias “Phineas Fisher” is perhaps the most accomplished hacktivist in recent years. They earned a reputation for penetrating two spyware companies and publishing sensitive corporate information, including software source code, corporate emails, contracts, and other documents16. At the end of 2019, they published a manifesto outlining their political and social philosophy as well as disclosing their hack and robbery of a Cayman Islands bank. In their manifesto, Phineas Fisher repeatedly encourages hacktivist targeting of financial institutions and other institutions that they believe constitute an unjust system17.

Content from Phineas Fisher’s Website

Phineas Fisher also identified two industry truths: vulnerable networks often get hacked by multiple parties before anything is discovered, and many private institutions are disincentivized to disclose the intrusion. For every attack that becomes public, many more go unreported.

BlueVoyant | Sector 17 16 Part 2: Threat Landscape

Phineas Fisher makes their modus operandi clear, stating plainly:

Excerpts from Phineas Fisher’s Website

BlueVoyant | Sector 17 17 Part 3: Dark Web Overview

BlueVoyant maintains a robust covert presence in the dark web and on encrypted chat messaging platforms where cybercriminals conduct their business. Advanced threat actors will compromise networks and sell access to other cybercriminals who know how to monetize stolen information and/or conduct ransomware attacks. The following section not only provides an overview of law firm targeting on the dark web, but provides documentation of live interactions between BlueVoyant analysts and threat actors on deep and dark forums today. This advanced threat intelligence demonstrates that dark web risk to law firms is not only a current, but a daily and persistent threat.

In late 2019, BlueVoyant analysts observed a want-ad posted to Exploit, an elite Russian-language cybercrime forum where threat actors auction malware, stolen data, and other illicit digital goods. In this post, a threat actor operating under the moniker insayder solicited access to European law firms:

Example 1: Purchasing Network Access to a US Law Firm

Translated from Russian by BlueVoyant, the post title and content are:

Buying SSH / Shell Law firms in Europe: I will buy SSH / Shells of law firms in Europe, or university of Europe where there is a law faculty. Payment will suit you. PM communications.

Later on December 25th, they supplemented:

Still searching for the right access. Payment will suit you.

BlueVoyant | Sector 17 18 Part 3: Dark Web Overview

Example 2: Selling Network Access to a US Law Firm

In a separate advertisement posted January 2, 2020, threat actor “rhammond” offered network access to a US law firm, also on forumExploit.

The auction advertisement, translated from Russian by BlueVoyant, reads:

US Law firm Access to internet / intranet web server (mini web shell) allow_url_fopen - On The server is located on the corporate network and is a member of the domain. User nt authority \ iusr According to the records of the internal DNS server in the network about 150 workstations and servers, including file, terminal, DB, wsus, wds, wmware, print servers. There are 5 subnets in the network (apparently, branches). There are 4 mysql accounts (3 have file_priv) and 1 mssql account

Start $ 500 Step $ 50 Blitz $ 1000 End of 6 hours of teaching staff

BlueVoyant | Sector 17 19 Part 3: Dark Web Overview

The stepwise auction style is a common arrangement on Exploit. In this instance, the initial bid opens at $500. Threat actors then bid in increments predetermined by the “step” (i.e. the second bid would be $550, the third $600, and so on). Blitz, as the name suggests, means that a threat actor can outright purchase the access for $1,000.

There is no honor among thieves; threat actors often make use of the guarantors to facilitate their transactions, especially for high-value propositions. For deals brokered on Exploit, the site administrator, “ad0”, often serves as a neutral third party.

Example 3: Transcript of Sales of Network Access

A written network access deal brokered between an undercover BlueVoyant analyst and a threat actor selling two corporate accesses. Redactions by BlueVoyant.

BlueVoyant | Sector 17 20 Part 3: Dark Web Overview

Striking the Deal: Dark Web Threat Intelligence in Action BlueVoyant cyber threat analysts maintain deeply situated avatars across the dark web. To protect our clients, BlueVoyant is ready to engage cybercriminals and exploit interactions to gain the most precise and up-to-date threat intelligence.

In February 2020, analysts engaged a highly credible threat actor who regularly sells corporate network access on Exploit. Analysts have observed this actor selling unauthorized network access to a range of medium and large businesses across the United States and Europe. They claimed to be selling access to a US law firm. To confirm the victim was not a BlueVoyant client, we engaged the threat actor in negotiations. The following dialogue is translated from Russian and lightly edited for clarity:

XXXXXXnetwork7

wait wait 11:48 there is

now I will check 11:49 **********************.com/ 4k https://www.zoominfo.com/************** rdp [Remote Desktop Protocol access] 11:50

did you already sell it to someone else?

youve had that access for a while. 11:51

https://prnt.sc/********* I did not sell it I wanted to lock it [up with ransomware] myself, but I don’t have time https://prnt.sc//********* 11:53

it looks like a good fit. i’m discussing

with my team now 12:03

ok, [draft the agreement] we will issue a guarantor [through the site] 12:10

Are there tax documents and inheritance information? Have you thoroughly explored it? 12:22

what antivirus? 12:22

I did not check no antivirus 12:22

BlueVoyant | Sector 17 21 Part 3: Dark Web Overview

Threat actors often use ZoomInfo, a licit commercial intelligence subscription, to assess the value of their penetrated victims. This threat actor sent BlueVoyant analysts screen captures to demonstrate their network access. Used here, Lightshot is an anonymous image sharing service popular in the cybercriminal community.

Example of Threat Actor Poof of Access:

A threat actor sent undercover BlueVoyant analysts a screen capture of a compromised endpoint within the law firm. Redactions by BlueVoyant.

Filenames located on that desktop of the compromised endpoint suggested the presence of:

Wills Designations of successor Private health information Stock purchase Scanned checks Employer Identification agreements Documents (EIN) 401k documents Purchase and sale Trust documents agreements W9 banking information Invoices Property tax notices Private contracts Amortization documents A note titled “New HVAC management Alarm Code” information A PTO spreadsheet (likely containing employee Deeds of trust Property documents information)

E-trade documents Scanned drivers licenses And other extremely sensitive client data

BlueVoyant | Sector 17 22 Part 3: Dark Web Overview

Example of Proof of Network Access:

The threat actor sent BlueVoyant analysts proof they were operating within the compromised law firm’s network.

By engaging with threat actors BlueVoyant is able to garner extremely sensitive threat intelligence. After confirming this victim was not a BlueVoyant client, a courtesy notification was immediately sent to the US-based law firm.

BlueVoyant | Sector 17 23 Part 4: Industry Cybersecurity Review

In order to provide an accurate snapshot of cybersecurity in the legal industry today, BlueVoyant analysts relied on a number of different metrics. BlueVoyant uses proprietary and open source datasets and tools in order to evaluate cyber risk. Together, these tools allow analysts unparalleled insight into global internet traffic and threat actor criminal networks. This analysis is multi-faceted, focused on identifying vulnerabilities in software, hardware, and networks; identifying and tracking threats, whether low-level probing from blacklisted assets, brute force attacks, or targeted attacks using anonymized tools; and finally, rooting out potential network compromise.

In most cases, evidence of compromise represents the highest risk alert. Vulnerabilities and threats to an organization imply potential risk: compromise means that the risk is immediate, or - worse - that damage may already be done.

Using these tools, BlueVoyant carried out two different evaluations. First, analysts reviewed global legal sector data – analyzing cybersecurity assessments for almost 2,000 law firms globally, and comparing those results against firms in other sectors. Second, analysts took a selection of 20 law firms, representing a cross-section of size and region, and carried out a much more in-depth review. This review encompassed network defense metrics, inbound threat targeting, and evidence of compromise.

Section 1: Legal Sector Overview – Global

The most encouraging outcome of the analysis was law firms’ evident focus on, and investment in, cybersecurity: legal firms in aggregate have a high cybersecurity score, not too far from firms in energy and finance (both typically at the forefront of sophisticated cyber defense).

BlueVoyant uses dozens of analytics to monitor and assess cybersecurity risk. By analyzing thousands of law firms globally and determining risk INBOUND THREAT scores, and then comparing those scores to firms in other TARGETING industries, the mean score for firms in the legal sector 100% is 84 (out of 100). This is a decent score indicating solid cybersecurity - close to industries typically considered at the forefront of cyber defense, such as finance.

Furthermore, analysts looked into two metrics to determine additional appraisals of risk. One was inbound targeting - the observation of suspicious or malicious traffic directed towards IP space owned by law firms globally. This figure was not surprising: 100% of all law firms had some form of inbound threat targeting.

BlueVoyant | Sector 17 24 Part 4: Industry Cybersecurity Review

MALICIOUS Analysts also examined outbound traffic - i.e., traffic OUTBOUND originating from law firm IP space globally that TRAFFIC communicated with known malicious domains and IPs. 21.6% Although not definitive, this is a reliable indicator of malicious activity. In this case, globally, over 20% of law firms had observable malicious traffic coming from their devices and networks.

NO These figures will be borne out in the in-depth analysis, MALICIOUS below. It shows that while cybersecurity at law firms is OUTBOUND TRAFFIC generally sophisticated, threat activity is constant and 78.4% universal - and compromises are still occurring.

Section 2: Legal Sector Overview – In Depth

BlueVoyant was also looking for more granular data: live threat tracking of attackers infiltrating legal networks, and precise observations of malicious traffic leaving law firms as evidence of compromise. To find this, BlueVoyant analysts curated a wide-ranging list of law firms to monitor for threat and compromise activity more intensively. For the purposes of this report, all scans were external and non-invasive, using proprietary tools, datasets, and insight into global internet traffic.

These law firms were selected to represent wide variations in size (by revenue) and geographic base. The selected firms will remain fully anonymous and all specific traffic will be analyzed without reference to domain names or IPs. The aim is to provide a picture of cybersecurity, not to penalize or call out individual entities.

The results, overall, were clear: law firms have excellent cybersecurity. By and large, network and software configurations are hard and secure. However, globally, they withstand high levels of threat targeting across vectors – i.e., for almost every firm, BlueVoyant observed threat actors using different means in an effort to breach defenses. Most concerningly, 15% of the businesses surveilled had strong evidence of compromise – indicating that a strong cybersecurity defense posture is not enough to keep attackers from getting behind your networks.

BlueVoyant | Sector 17 25 Part 4: Industry Cybersecurity Review

The following chart provides an overall picture, using a few simple metrics.

RISK METRIC PERCENTAGE OBSERVED ACROSS LAW FIRMS High-severity vulnerabilities observed 15%

>3,000 account credentials 70%

Evidence of targeted threat activity 100%

Evidence of compromise 15%

Evidence of anonymizing proxy use 45%

Of all firms monitored, only 15% had any evidence of high-severity vulnerabilities (according to the vulnerability meter for the NIST National Vulnerability Dataset). This is an exceptional outcome; over three-quarters of all businesses monitored by BlueVoyant have some evidence of a high- severity vulnerability across their online infrastructure.

While concerning, it is also not surprising that all firms had evidence of targeted threat activity. ‘Targeted’ in this instance means that actors are deliberately looking for login or vulnerable webpages associated with the firm, as opposed to low-level scanning or subdomain enumeration. It is known that law firms face high levels of scrutiny and targeting from threat actors; this report is one of many that re-confirms that.

When discussing threats, it is easy to generalize. BlueVoyant uses proprietary and third-party feeds to identify traffic between law firm domains and blacklisted IP ranges, seeking evidence of malicious probing or scanning from potential malicious actors. In addition, BlueVoyant digs deeper to identify any interactions between law firms and known malicious infrastructure: where traffic may reveal not only initial probing, but fraudulent or malicious communication with FANUC domains and IP addresses.

Using these different data feeds, BlueVoyant analysts detected multiple variations of potentially malicious inbound traffic over a one month observation period. This included:

• blacklisted IPs and domains reaching out to law firm assets; • a large volume of sessions targeting vulnerable webpages, observed in known malicious infrastructure;

• and evidence of attempted brute force attacks, using leaked credentials to force entry.

BlueVoyant | Sector 17 26 Part 4: Industry Cybersecurity Review

These figures are more concerning when added to the fact that 70% of law firms had over 3,000 email and password combinations – credentials – found stored in various leaks and breaches across the web. Although some of these credentials may not be valid, password reuse is very common and when added to the volume of threat targeting observed, the risk from compromise rises.

But the compromise section is of greatest concern. Roughly 15% of the companies monitored had strong evidence of compromise, and a further 45% had evidence of suspicious traffic.

There are two different ways to examine compromise. One is to monitor evidence of law firm IPs and domains reaching out to blacklisted assets. This can sometimes be evidence of a security appliance – many security companies offer services that reach out to known blacklisted assets in a continual process of updating their index of malicious infrastructure. However, no security appliances were detected by our analytics on the networks in question. That means this traffic is more likely evidence of compromise: malware is installed on a device or network and is now reaching out to a malicious command and control server.

The second way to examine compromise is to monitor evidence of traffic originating from law firms contacting known proxy services. This is suspicious: there is little reason for corporate devices to be reaching out to external IPs or domains associated with this infrastructure, which is known for frequent malicious activity. It is not, however, definitive evidence of compromise. Employees might be using anonymizing proxies for malicious purposes; but they may also be using them for sanctioned research or investigation. A surprisingly large number of IPs - just under half - were observed contacting these networks.

EVIDENCE OF 1 MALICIOUS PROXIES & COMPROMISED ASSETS 4 4 EVIDENCE OF MALICIOUS 45% PROXIES

EVIDENCE OF COMPROMISE NO EVIDENCE OF COMPROMISE

Worse, of traffic observed using these anonymizing proxies, all were evidently reaching out to known malicious domains. Some of these domains were infrastructure for known malicious campaigns, or were associated with Russian or Chinese threat actors focused on fraud.

BlueVoyant | Sector 17 27 Conclusion - Sector 17

This report shows that the legal industry has earned its title as Sector 17. It also shows that the legal sector is performing admirably well in a condition of crisis. Threat actors are actively targeting law firms, and they are doing so daily. Threats against law firms are high volume, multi-faceted, and organized; threat actors use multiple sophisticated tools and techniques; and, despite industry-leading efforts, law firms are still being compromised successfully.

The stakes could not be higher. Attacks against law firms constitute some of the most sensational and damaging cyberattacks in history. Incidents such as the Panama Papers and Luanda Leaks can cause substantial geopolitical fallout. Breaches like the one against DLA Piper have tremendous direct and indirect financial repercussions. Any one of these can be business- crippling events, and law firms are doing their level best under circumstances of existential threat to protect their clients and themselves.

These findings are designed to support and empower law firms globally. By recognizing the legal sector as critical to national and international defense and infrastructure, BlueVoyant aims to put a spotlight on measuring and improving cybersecurity across the sector.

Thanks to the collaborative capabilities of its three separate business units - Managed Security Services, Threat Intelligence, and Professional Services – BlueVoyant is uniquely positioned to make use of different tools and datasets in order to provide the kind of visibility and risk mitigation services that make up this report.

BlueVoyant | Sector 17 28 Citations and Endnotes

1 https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil

2 https://www.forbes.com/sites/markcohen1/2019/10/07/big-money-is-betting-on-legal-industry-transformation/#1d7dd1865ce2

3 https://www.forbes.com/sites/markcohen1/2019/10/07/big-money-is-betting-on-legal-industry-transformation/#1d7dd1865ce2

4 https://www.americanbar.org/groups/law_practice/publications/techreport/2017/

5 https://www.pwc.co.uk/industries/business-services/law-firms/survey.html

6 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/

7 https://www.pwc.co.uk/industries/business-services/law-firms/survey.html

8 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/

9 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/

10 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/

11 https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/

12 https://www.reuters.com/article/us-cyber-insidertrading-idUSKBN14G1D5

13 http://www.lawjournalnewsletters.com/2019/02/01/dark-overlord-hack-shows-mounting-cyber-risks-for-law-firms/?slreturn=20200124144050

14 https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-sells-victims-data-on-darknet-if-not-paid/

15 https://www.law.com/2019/10/15/more-than-100-law-firms-have-reported-data-breaches-and-the-picture-is-getting-worse/?slre turn=20200124093942

16 https://www.vice.com/en_us/article/3k9zzk/hacking-team-hacker-phineas-fisher-has-gotten-away-with-it

17 https://data.ddosecrets.com/file/Sherwood/HackBack_EN.txt

BlueVoyant | Sector 17 29 Recommendations

The legal sector is serious about cybersecurity: they avoid common, severe vulnerabilities and configure their systems according to best practices. But they are still compromised. So what can law firms do to avoid a successful attack?

BlueVoyant advises a ten-step process for protecting against successful compromise.

Secure Corporate Email and Application Access

1. Enable two-factor authentication for all business applications and email - for example, using a password and code sent by an authentication application or hardware key/token. This will most often prevent attackers from logging in by using the stolen passwords of employees.

2. Separate personal and work email. Attackers conduct their own research on social media and other publicly available websites to make connections between someone’s personal life and professional life. Sending emails from a work account to a personal account with sensitive corporate documents, or using a work email to register for online accounts, exposes the firm to unnecessary risk.

3. Malware will eventually get through email to firm systems. It is important to install email protection software that scans attachments and emails for malicious attachments and links. Also important is endpoint security software on all workstations and servers - this will not only block known virus signatures, but will stop malicious behavior, like the encryption of files from ransomware.

4. Have someone who understands Cyber Attacker techniques review the alerts that come from your cyber defense software and take action to stop attacks in progress.

Enforce Personnel Policies on “Hygienic” Use of IT

5. Provide every employee with a copy of your cybersecurity policy, which must clearly detail what “safe” use of your systems entails, and conduct periodic training on safe cyber practices as well as regular (e.g. monthly) anti-phishing training.

6. Restrict access to sensitive corporate data and files to only those employees who need to know.

7. Make sure that recently dismissed employees have their access to systems and accounts terminated as part of the exit process as soon as possible.

BlueVoyant | Sector 17 30 Recommendations

Harden Corporate Payment Processes

8. Do not allow payments to be made to new account addresses without verbal, authenticated confirmation from the responsible party. Relying solely on email for approval of payment to new accounts without a verbal confirmation exposes firms to significant financial losses through common payment redirection schemes. 9. Do not accept internal payment instructions by email that are for any payments other than regular payments - again, verbal confirmation for new or unusual payments should be part of a standard process.

Ensure that Critical Data is Backed Up and Recoverable 10. Assume that ransomware will infect your systems at some point, and make sure that the data essential to running a company is backed up and off-line. Most importantly: regularly test that all back-ups are working and recoverable.

Visit www.bluevoyant.com for more information and additional resources.

BlueVoyant | Sector 17 31