Why is the Legal Sector targeted by Cyber Criminals?
Background
The United Kingdom boasts a robust and varied legal sector, encompassing a wide spectrum of entities, ranging from small local solicitors’ practices to large multinational corporations, as well as independent barristers and barristers’ chambers.
Legal services constitute a pivotal component of the UK’s economy. As of early 2023, the sector comprises over 32,900 enterprises, including barristers, solicitors, and other legal service providers, collectively generating an estimated revenue of £43.9 billion. The legal sector also provides employment opportunities for more than 320,000 individuals.
Furthermore, the UK’s legal services play a vital role in international trade, contributing significantly to the nation’s exports, with a value of £6.8 billion in 2021.
Preserving client trust and upholding the strict confidentiality of sensitive information are fundamental principles within the legal profession. This commitment to confidentiality is not only a moral obligation but is also enshrined in professional standards outlined in the SRA’s Standards and Regulations, the Bar Standards Board’s handbook, and is supported by common law, as delineated in the Legal Services Act 2007. Therefore, it is imperative for legal organisations to maintain robust cybersecurity measures to safeguard their clients’ information. Neglecting this duty can result in severe repercussions for both the legal practice and its clientele.
According to the 2022 PriceWaterhouseCoopers Annual Law Firms Survey, larger law firms have substantially increased their investments in addressing cyber risks. In 2022, the top 100 firms allocated an average of 0.46% of their fee income towards bolstering their cybersecurity defences.
What makes the Legal Sector a Distinctive Target?
Law firms are entrusted with the critical task of safeguarding highly confidential, commercially sensitive, and often personal information, rendering them prime targets for cybercriminals and other malicious actors. Additionally, the repercussions of accidental internal data breaches can be equally daunting.
These legal entities routinely handle exceptionally sensitive client data, such as information related to ongoing criminal cases or mergers and acquisitions, which can be of significant value to criminal organisations seeking opportunities for insider trading, gaining advantages in negotiations and litigation, or undermining the justice system.
The disruption of regular business operations can prove costly for legal practices, both in terms of lost billable hours due to downtime and the expenses incurred by clients who rely on their services. Consequently, law firms become particularly attractive targets for ransomware groups looking to extort money in exchange for the restoration of IT services.
In numerous areas of law, from mergers and acquisitions to conveyancing, legal practices manage substantial funds. The time-sensitive nature of transactions, coupled with the complexity of handling numerous suppliers, clients, and intricate payrolls, creates favourable conditions for phishing attacks and business email compromise.
Many legal practices, particularly smaller firms, chambers, and individual practitioners, rely on external IT service providers, making it challenging for them to independently assess the adequacy of their security controls in relation to the risks they face. A small law firm with limited resources could face devastation if, for instance, subjected to a ransomware attack. These firms are more susceptible to attacks, potentially stemming from unpatched vulnerabilities on unmanaged devices, inadequately trained staff, or insufficient offboarding procedures for departing employees. Following an attack, even a relatively minor financial or reputational loss could have catastrophic consequences.
Given that reputation is paramount in the legal profession, legal practices become alluring targets for extortion schemes.
The Increasing Threat to the Legal Sector
In September 2020, the SRA conducted a thematic review on cybersecurity within the legal sector, shedding light on its susceptibility due to the substantial financial transactions involving law firms, their clients, and third parties. Notably, among the 40 law firms examined, 30 disclosed that they had experienced cyberattacks. The remaining 10 firms reported cybercriminals targeting their clients during transactions.
In 2021, a prominent city law firm faced data loss due to a cyberattack. The repercussions were swift, with the market reacting by erasing nearly 8% of the firm’s share value within an hour of the announcement. Furthermore, the legal sector fell victim to additional attacks, this time targeting barristers’ chambers. This underscored the critical importance of risk management when law firms engage barristers for client matters. Collaboratively, the Law Society, Bar Council, and members of the NCSC Industry 100 developed a risk-based questionnaire outlining cybersecurity best practices.
More broadly, in the last two years there has been a surge in the proliferation of “cybercrime as a service.” Seasoned attackers now offer their expertise and services to others, enabling an even larger pool of criminals to target both businesses and individuals. They provide the tools and knowledge required for novices to execute malware payloads or launch distributed denial of service (DDoS) attacks as a service. Remarkably, the popularity of cybercrime as a service has led to competitive pricing, thereby increasing the likelihood of victimisation as more criminals gain access to cyber skills.
Potential Threat Actors Targeting the Legal Sector
Similar to any other organisation, legal firms are becoming increasingly dependent on information technology (IT). This section provides an overview of the key individuals or groups who may target legal firms with the intent to pilfer funds, gain access to sensitive data, or engage in extortion. These threats can be directed at your firm directly or through the suppliers you rely on. In some cases, they may even target your staff’s personal devices, in addition to your business equipment, networks, and systems.
Cyber Criminals
The foremost threat to the UK legal sector emanates from cybercriminals motivated by financial gain. These cybercriminals span a wide spectrum, ranging from sophisticated, professional groups to small-scale fraudsters. Some criminals can readily purchase pre-made services from more seasoned cybercriminals, eliminating the need for advanced technical skills. This shift has resulted in an upsurge in cybercrime’s scale, with criminals indiscriminately targeting thousands of organisations, both large and small, primarily employing automated tools that require minimal technical expertise.
The NCSC has observed the emergence of “hackers-for-hire,” individuals or groups who earn money by executing malicious cyber activities on behalf of third-party clients. These activities often involve the theft of information to gain an advantage in business negotiations or legal disputes. For their clients, these hackers-for-hire provide technical expertise and plausible deniability in case their involvement is uncovered.
Nation-state Funded Attackers
Nation-states – engage in cyber activities to advance their national interests and prosperity or to disrupt individuals working on matters that conflict with the state’s objectives, such as human rights or regime change. Countries like Russia, Iran, and North Korea have been identified as employing criminal actors to further their state aims, raising funds and causing disruptions using criminal malware techniques. Major law firms are particularly vulnerable as they may be part of the broader supply chains used by nation-states. The risk may be even greater for law firms advising highly sensitive clients or operating in regions hostile to the UK. State actors, such as those from China, have also utilised cyber techniques for intellectual property theft, which poses an additional risk for law firms dealing with intellectual property rights.
Hacktivists
Hacktivists – a term used to describe computer hackers motivated by specific causes, such as advancing political or personal agendas or reacting to perceived injustices or events, have occasionally employed Distributed Denial of Service (DDoS) attacks to disrupt or deface websites. The NCSC has noted some growth in the hacktivist community targeting law firms. The risk is most significant for firms representing organisations at odds with hacktivists’ political, economic, or ideological agendas, such as those working in the life sciences or energy sectors.
Insider Threat
The Insider Threat – refers to the deliberate or accidental threat to an organisation’s security stemming from individuals with authorised access, such as employees, volunteers, contractors, or suppliers. Disgruntled employees or former employees with grudges, for example, may possess access to sensitive data and financial resources that could be exploited. Insider threats are not always driven by malicious intent; they can also result from factors like insufficient staff training, burdensome processes that inadvertently encourage shortcuts, or simple mistakes, such as falling for a convincing phishing attack. Managing staff security effectively is crucial in the legal sector, given that many staff members may have access levels that could be of interest to criminal groups. A previous blog The Enemy Within provides further information regarding the risks from employees.
Primary Categories of Cyber Attacks
Phishing
‘Phishing’ is a tactic employed by cybercriminals who utilise fraudulent emails, text messages, or phone calls to deceive their targets. The primary objective is typically to entice recipients into visiting a website, which can subsequently lead to the download of malicious software (such as ransomware or a virus) onto their computers or the theft of sensitive information, including bank details and login credentials.
Phishing emails often blend into the deluge of legitimate messages that inundate busy users daily. They continue to represent the most prevalent form of cyber attack against law firms. Due to the ease and cost-effectiveness of sending millions of phishing emails, a majority of these attacks are untargeted and frequently originate from free email accounts.
Law firm websites often contain extensive information and contact details for senior staff, partners, and associates. Cybercriminals can leverage this information, coupled with data from social and professional networking sites, to orchestrate more precise and targeted attacks. One such technique involves criminals monitoring LinkedIn to identify new hires within an organization, subsequently sending fraudulent emails to the HR department. These deceptive emails typically contain requests to alter the payroll account details for the new employee, aiming to intercept salary payments.
Another common phishing attack seeks to manipulate victims into divulging their Usernames and Passwords. These phishing emails frequently mimic the login pages of well-known platforms like Microsoft or Google and claim to be related to a fabricated legal matter, demanding authentication for access. Should recipients input their credentials, attackers can exploit this information for subsequent attacks or sell it to other criminal entities.
Business Email Compromise (BEC)
Business Email Compromise (BEC) represents a type of phishing attack whereby a cybercriminal endeavours to deceive a senior executive or budget holder into transferring funds or disclosing sensitive information. In contrast to typical phishing emails that are sent indiscriminately to countless recipients, BEC attacks are meticulously tailored to entice specific individuals, making them even more challenging to identify.
Law firms are appealing targets for BEC attacks due to their involvement in substantial financial transactions and their need to access sensitive documents, such as financial records, contracts, and designs. Moreover, law firms are generally regarded as trustworthy and authoritative entities, qualities that attackers exploit when devising their phishing strategies.
In the course of a BEC attack, cybercriminals adopt one of two approaches:
- They employ a legitimate email account that they have gained access to, often due to weak password security or the absence of multi-factor authentication.
- They use a ‘lookalike’ email address that pretends to belong to a legitimate company member but is, in reality, controlled by the cybercriminal. For instance, an email that appears to be from “[email protected]” may actually originate from “[email protected].”
A common tactic entails fabricating an email thread or, even more convincingly, duplicating a genuine exchange with clients or suppliers concerning an invoice or payment. At an opportune moment, the attackers dispatch a doctored email containing new bank details, aiming to deceive individuals into transferring funds to an account under the attackers’ control.
Malicious emails also serve as a launching pad for phishing campaigns directed at other law firms, particularly when multiple firms are involved in a legal matter or case. Some of these emails may harbour viruses camouflaged as innocuous attachments, which become activated upon opening.
Ransomware and other malware
Ransomware is a malicious software, often referred to as ‘malware,’ that effectively denies you access to your computer or the data stored on it. In a ransomware attack, your data is typically encrypted, rendering it unusable, or it might even be stolen. The attackers may go to the extent of threatening to expose your sensitive information online. This poses a significant concern for the legal sector, which routinely deals with highly confidential data.
Typically, attackers send a ransom note demanding payment to regain access to the encrypted data, often utilising an anonymous email address. They commonly request payment in the form of cryptocurrency. Moreover, certain criminal groups offer a service known as ‘Ransomware as a Service,’ allowing other malicious actors to commission ransomware attacks, essentially putting these destructive tools into the hands of anyone willing to pay.
Both Fusion IT and law enforcement take a clear stance against endorsing, promoting, or encouraging ransom payments. If you choose to pay the ransom:
- There is no guarantee that you will regain access to your data or computer.
- Your computer will remain infected.
- You will be financially supporting criminal groups.
- You are more likely to become a target for future attacks.
Additionally, we strongly encourage organisations to be transparent about ransomware attacks by seeking assistance and openly communicating with Fusion IT and the Information Commissioner’s Office (ICO). Such openness can only benefit your organisation and ultimately contribute to enhancing the overall threat landscape for everyone.
While ransomware garners substantial media attention, it’s essential to maintain awareness of other types of malware and ensure that appropriate security measures are in place:
- Adware inserts malicious advertisements into the user interface, sometimes replacing legitimate ads in web browsers.
- Viruses, worms, and trojans are interconnected forms of malware. Viruses are malicious code attached to legitimate executable files, while worms and trojans are standalone software, with trojans designed to mimic legitimate applications.
- Bots are designed to interact with a system, and malicious bots may disrupt legitimate processes or provide command-and-control structures for remote adversaries, forming a ‘botnet.’
- Keyloggers and spyware operate in the background on an infected device, recording user interactions via peripherals like webcams and keyboards, storing this data for exfiltration.
Password Attacks
Securing access to data, systems, and services is imperative. It’s not only about keeping unauthorised individuals out but also about understanding who or what should have access and under what conditions. An effective approach to identity and access management ensures that it’s challenging for criminals to masquerade as legitimate users while keeping the process as user-friendly as possible for those with legitimate access needs.
The key identity and access threats faced by law firms include:
Password Re-use: Often, individuals use the same passwords across various websites and services. This practice could enable a criminal to gain access to work accounts if the password is disclosed, such as during a data breach.
Weak Passwords: Weak and commonly used passwords are easier for attackers to crack, providing quicker access to law firm systems.
Excessive Permissions: Failure to restrict account permissions to data and services that are pertinent allows attackers the opportunity to exploit compromised accounts, gaining access to more sensitive information and progressing to critical systems.
Open Access: As the use of cloud systems for storing confidential data increases, misconfigurations of these systems can inadvertently leave data accessible to anyone. Attackers are adept at scouring the internet to locate these open access data sources.
MFA Not Enabled: Multi-factor authentication (MFA) introduces an additional authentication step during system logins, making it more challenging for attackers to access systems, even if they possess a valid account and password.
Adopting robust identity and access management practices addresses these threats by ensuring that only authorized individuals or entities can access the necessary resources, safeguarding sensitive information and critical systems.
Supply Chain Attacks
Cybercriminals may target your organisation with the aim of gaining access to other businesses you collaborate with. Law firms, given their position in the global supply chain, can be enticing targets for nation-states that possess the resources and capabilities to infiltrate corporate clients and their data.
The intricate and widespread nature of modern supply chains enhances opportunities for cyberattacks. Even for small to medium-sized firms, the network of suppliers is extensive and diverse, encompassing various functions such as finance, billing, payment platforms, heating, ventilation, air conditioning (HVAC), and janitorial and cleaning systems. Each of these components presents potential entry points for cyber threats.
Summary
Are you concerned regarding the content of this post? Do you feel you have full control of systems and staff within your Law Firm? Fusion IT are experts in IT Security and possess the internationally recognised IS0 27001 accreditation as well holding Sophos Gold Partner status. We utilise these accreditations, our skills and twenty-years experience in the Legal Sector to head-off the threats summarised in this article. The volume and sophistication of cyber threats continues to grow and therefore it has never been more important to protect your Law Firm and your clients’ critical data.
Thanks
Richard