The charges against a Macau-based cyber gang for breaching prominent New York-based law firms to steal non-public data on upcoming mergers, resulting in millions of dollars in illicit profits, is a fresh warning to a sector already being broadly targeted by hackers.

In the scheme, Iat Hong, Bo Zheng and Chin Hung, targeted seven unnamed New York law firms, eventually busting their way into two of them, which provided legal and advisory services to companies in the mergers and acquisitions (M&A) space, and used the material, non-public information to buy stock in target firms, according to federal charges released last week.

As a result of the insider information the group pilfered from the networks and servers of the two punctured law firms, between April 2014 and late 2015, they bought shares in five publicly-traded companies before major deals, eventually garnering illicit profits of $4 million, according to court documents.

Though this latest attack was against a law firm, the message is clear to all manner of entities involved in analyzing, safeguarding or auditing non-public data – including financial institutions with business analysts and securities trading arms – that must bolster their cyber defenses lest they find themselves hacked and criminals enriching their coffers on broached data.

Hackers are increasingly painting a bullseye on the cyber defenses of law firms, attempting to gain access to a “treasure trove” of sensitive, material and confidential information on everything from mergers and missteps to patents and punitive lawsuits, say analysts interviewed by ACFCS.

The concern by law firms is an acknowledgement of the ever increasing aggressiveness of cyber assassins – in recent years puncturing many of the nation’s largest retailers and banks, including Target, Home Depot and JPMorgan, and government data nodes, such as the Office of Personnel Management – and the reality that the response to such incursions has at times been fragmented.

Law firms, particularly smaller operations, may also be hampered by a lack of budgets, staff or expertise on the cyber front.

“Law firms are a bigger target for hackers because of the sensitive information that they hold,” Richard Bortnick, senior counsel in the New Jersey office of Traub, Lieberman, Straus & Shrewsberry LLP and publisher of cyber industry blog, Cyberinquirer.com, told ACFCS in March. “And not only for client information, but also business and financial information.”

The group in this latest hack attack faces a 13-count indictment with charges including insider trading, computer intrusion and wire fraud. The insider trading charges alone carry 20-year sentences. The charges were brought in connection with the President’s Financial Fraud Enforcement Task Force.

Once the hackers obtained access to the law firms’ networks, they specifically parsed out and targeted the “email accounts of law firm partners who worked on high-profile M&A transactions,” according to prosecutors. “In each case, one of the two infiltrated law firms represented either the target or a contemplated or actual acquirer in the transaction.”

Law firms a tempting target of confidential, material information

Here are some examples of information hackers would find attractive at a law firm and why:

  • Financial disclosures: law firms typically review quarterly and annual reports and information on behalf of clients.  This information is sensitive and secret until it is publicly released. If a hacker gets their hands on those financials, they could use it for insider trading, espionage, and blackmail. The hackers could also just sell the secret technical information directly to a competing company, or provide the information for free on the internet to harm the company.
  • Litigation leak: This could be part and parcel of an annual report as well, but if hackers can get details on the status of current or upcoming litigation, either outcomes, strategies or costs, the groups can blackmail the company or sell secrets to opposing legal teams, particularly if the issues could have a material effect on the bottom line.
  • Purloined patents: “A lot of companies use law firms to seek patents,” Pinson said. “But until the company obtains a patent and it’s protected, all they are are trade secrets. If someone could gain access to non-patented trade secrets, it could be a race to the patent office.” The hackers could also just sell the information to a company directly who wants to use the technology without having to pay for rights to use it or give credit to the originating company.
  • Nosy negotiations: Another example would be, say, when a company is negotiating for lease rights tied to development of a natural gas field or similar such deal where multiple firms are bidding for a slice of a potentially profitable pie. If one entity can get insight into the monies available to other companies, their negotiation strategies or even some of the secret, attorney client information a firm doesn’t want getting out, it could give a major advantage to an operation.

Latest law firm hack attack a ‘wake-up call’ for sector

“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” said Manhattan U.S. Attorney Preet Bharara.

The companies the hackers traded on included a possible acquisition of U.S.-based drug firm Intermune, a contemplated merger between technology firm Intel and circuit manufacturer Altera, and an acquisition of Borderfree Inc., an e-commerce company, by Pitney Bowes, an international business services company.

In some cases, the expected merger never happened, but other companies stepped in to purchase the target firm, or in one case, a newspaper leaked details of the possible acquisition after the hackers had already purchased shares, resulting in massive financial windfalls.

Prior to the expected buyout dates, the defendants typically bought hundreds of thousands of shares, and saw the prices surge as high as double the original purchase price, resulting in profits of more than a million dollars in one case and hundreds of thousands of dollars in others.

The gang allegedly broke into the law firm’s servers in one instance with the stolen credentials of a single employee, but then installed malware to spread their influence and control to other machines and get information on the attorneys working on the biggest buyout deals.

The hackers, who also ran a robotics business, also allegedly breached the servers of several companies in the robotics space to steal details about proprietary information “concerning the technology and design of consumer robotic products, including detailed and confidential proprietary design schematics.”  

Tips for law firms to keep the hackers out:

  • Tactical Training: Train all members of the firm, from assistants to top partners, about classic and emerging cyber attack patterns. These would include email scams, phishing, spear phishing and business email compromise attacks so they will think twice about clicking on a unknown link or wiring funds to a strange foreign locale, even if the email seems to come from the CEO.
  • Systems, software: Ensure that all computers linked to the network have stout and updated anti-virus systems and programs and operating systems have all the latest patches installed. Tarrying on these can allow outstanding vulnerabilities, in some cases that have already been secured by the companies that created the systems, to persist, allowing easier access for criminals.
  • Access monitoring, restrictions: Mirroring what many large banks and corporations are doing, law firms should consider limiting access to systems to only a small handful of IT professionals so it can be very difficult for rank and file employees to get into the broader system, or criminal who steals their login credentials. As well, law firms should potentially invest in networking monitoring systems that can reveal if one person’s terminal has been corrupted and is hemorrhaging client data to an unknown, foreign IP address.
  • Vulnerability assessment: Currently, financial institutions, and even government and other entities considered critical infrastructure pieces are under significant pressure to improve cyber defenses, resilience and recovery programs. To do this, many institutions are engaging with outside consulting firms to do a “cyber risk assessment,” that will gauge company systems, weak points and current illicit attack vectors. The goal is to find the gaps before the bad guys do and try to shorten the gulf between what the network is and what it should be. Law firms should consider a similar strategy and even take a gander at the widely available and lauded NIST framework.
  • Separation of duties: The IT was typically the one who kept the Internet up, phones working, email coming in and going out and ensure the data was secure. When it came to cybersecurity, many law firms just put another hat on that person and say, oh yeah, by the way, make sure to keep hackers out too. That dynamic may not be enough anymore. More large companies are creating divisions separate from IT that are devoted full time to monitoring for network threats, cyber attacks, data breaches and even attempts to crack systems that are not fully perforated. That is something law firms should also consider.
  • Physical security: Lawyers are no stranger to the trials and tribulations of data mining, electronic discovery and generally having to sift through mounds of information. But the same security procedures for the online world need to be undertaken for the physical world. Attorneys also routinely have to get boxes and boxes of records, including, say, medical records. What is stopping an insider, or janitor, or someone else from waltzing in after hours, photo copying the documents, and putting the box back where they found it. Law firms should consider restricting access to sensitive physical records and even adding cameras.