Ride the Lightning

Dark Overlord Hack Exemplifies Rising Cyber Risks for Law Firms

January 22, 2019

As Legaltech News (sub. req.) reported on January 8th, dozens of law firms were involved in litigation which involved the September 11th, 2001 attacks. They are probably all a bit nervous these days after a hacker group known as the Dark Overlord claimed to be in possession of 18,000 legal and insurance documents pertaining to that litigation.

How the Dark Overlord obtained the material is still unclear. It says it hacked insurers Hiscox and Lloyd’s of London, as well as World Trade Center owner Silverstein Properties. Hiscox, meanwhile, has said the breach was of an unidentified “specialist” U.S. law firm that advised it and other insurers, as well as some of its commercial policyholders. As hard as Dave Ries and I have searched for the name of that law firm, it has not yet been publicly identified.

Of course, there might have been other points of access, which the Dark Overlord is keeping secret. No one is owning up to the breach. ”That’s a reputational issue and a stance that they have to take,” said Tom Ricketts, executive director at Aon Professional Services. “There is no certainty as to where the Dark Overlord has obtained the materials.”

What’s clear is that the Dark Overlord does have some material. It has released two sets of documents thus far, ranging from pleadings and opinions readily accessible from the federal court docket, invoices to clients, emails between parties in the litigation, to discovery material that’s marked confidential.

And the hacker is also open about its aims: it wants the law firms—along with insurers, investment banks, law enforcement agencies involved in the investigation into the attacks, and other parties with documents in the mix—to pay ransom to make sure the material remains secret. At the same time, it says it’s offering the world—specifically terrorist groups like Al-Qaeda, ISIS, rival nation states like Russia and China and anyone else willing to pay—the “truth” about “one of the most infamous incidents in recent history.”

In this case, law firms and insurance companies are in the line of fire.

One obvious lesson from the breach: Firms connected to the 9/11 litigation would be wise to undertake an immediate audit of their data systems, both to probe the possibility that they were exploited by the Dark Overlord and to forestall the prospect of future incursions.

A broader challenge for all law firms is that they also rely on their own service providers, who might have their own vulnerabilities. Furthermore, the daily business of lawyers involves sensitive communications with co-counsel, opposing counsel, third-party witnesses and law enforcement agencies, all potentially vulnerable.

“There’s all sorts of external entities that law firms may have to engage in communications with, and if those are obtained by a hacker, at the very least it’s embarrassing, but also quite damaging, not just to the firm but also to its clients,” said Steptoe & Johnson cybersecurity partner Michael Vatis. “The duties for a law firm go far beyond making sure its own networks and data responsibilities are kept securely.”

The spotlight is also on the need for cyberinsurance. In the case of a breach involving ransomware, most insurers will pay for a third party digital forensics firm to investigate and determine whether or not the firm’s systems were hacked. A smaller set of policies, however, won’t pay except in the event of a proven breach.

Even if there’s no breach, firms then have to wrestle with the question of the ransom. The Dark Overlord has provided no details on what it’s seeking, save for the indication it wants to be paid in Bitcoin. But ransom demands are swelling, with Beazley reporting a highwater mark of $2.8 million.

If a firm is lucky, even if it's not responsible for the breach, its cyberinsurance policy may help out here, too. While some policies depend on an actual breach, others are predicated on a firm’s liability or responsibility for confidential information. In that circumstance, the insurer would take on the task of investigating the ransom demand and negotiating a payment.

The Dark Overlord says the initial breach resulted in a payment of ransom, but that the law firm then reported to law enforcement, which negated the terms of the deal, “We were absolutely appalled by this transgression against our agreement. We decided to offer this company a second chance to repent, accept responsibility, and satisfy our penalty request. They declined to accept our offer, so we’re here today,” the group said. The group's name seems fitting indeed.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson