Chinese hackers are using Roy Moore to target attorneys at major firms, according to analysts with the cybersecurity firm FireEye. Lawyers with at least three multinational firms have been targeted with emails capitalizing on the scandal surrounding Moore’s Senate campaign. Those emails contain a Word document which, if opened, could allow hackers to remotely access the attorneys’ computers and gain access to confidential information.
Moore is currently running to fill the Alabama Senate seat vacated by Jeff Sessions. His candidacy is, to put it mildly, controversial. Prior to running for Senate, Moore had twice served as Chief Justice for the Alabama Supreme court, being removed from office in 2003 and resigning after being suspended from office in 2016. During his senate campaign, Moore has faced repeated allegations that he engaged in sexual misconduct with several teenage girls. Moore denies the accusations and remains a front runner in the race.
The Moore-related hacking attempts appear to come from a group of cybercriminals suspected to be affiliated with the Chinese government, according to the website Cyberscoop. “The hacking group, which is known as APT19, will often design phishing campaigns that contain references to pertinent, high-profile U.S. news stories,” Cyberscoop explains.
This particular email used the subject line “FW: Roy Moore scandal ignites fundraising explosion for Democratic Challenger Doug Jones”. If the attached Word document was opened, it would covertly download a backdoor onto the target’s computer, potentially allowing APT19 to access both the attorney’s individual device and the law firm’s network.
The use of current events in phishing emails is not unusual, Cyberscoop notes, and APT19’s emails have recently taken a political bent, with other phishing emails referencing Hillary Clinton as well as the disgraced Hollywood producer Harvey Weinstein.
Lawyers Remain a Favorite Target
Nor is it unusual for hackers to target law firms. The Roy Moore phishing attacks appear to have been the fourth wave in a series of targeted attacks directed at three US-based law firms, each with offices in China. “It’s feasible that APT19 is looking to steal financial documents, including information about business mergers and acquisitions which could be worth a lot,” says Ben Read, a FireEye analyst.
Last year, the Department of Justice indicted three Chinese citizens for their involvement in a similar hacking and insider trading scheme. The three men were accused of breaking into the servers of large law firms handling corporate M&A work, then using the insider information they obtained to make over $4 million on the stock market. They are thought to have gained access to the firms’ servers through phishing emails as well.
The case is the largest insider trading prosecution to involve hacking, according to Reuters.
“This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals,” then-U.S. Attorney Preet Bharara warned at the time.
It’s not just Chinese hackers who are going after attorneys either. Last summer, a Russian cybercriminal going by the nom de keyboard of Oleras targeted 50 major U.S. firms. His weapon of choice was also the phishing email, though, instead of playing off politics, Oleras went after attorneys’ vanity. Attorneys who advertised their every honor and award, no matter how trivial, were targeted for emails saying they had won an award from “Business Worldwide.” If the marks’ pride overtook their skepticism, they may have compromised their entire firm’s network.
The threat isn’t isolated to major firms and M&A practices, either. This summer, email scammers stole half-a-million dollars from attorneys in a wage and hour dispute. The theft took place after hackers infiltrated the lawyers’ emails and instructed them to wire settlement funds to an account under the criminals’ control. And in 2016, email fraud became such a pervasive problem in British real estate transactions that Britain's Conveyancing Association urged solicitors to forego email altogether, in favor of old-fashioned physical post.
Keeping Hackers Out of Your Inbox
There’s little wonder why law firms remain a favorite target for hackers. Because law firms handle such sensitive and valuable information, they become a “one-stop shop” for hackers, whether it's the emails sent between M&A partners and their clients or the sensitive information stored in a discovery repository. Law firms are also generally seen as weak on cybersecurity, when compared to other lucrative targets, making them a more enticing target than the clients themselves.
So, how can you ensure that phishing emails don’t molest your inbox and compromise client information? First, keeping your systems up to date can be a key, and simple, protection. The first wave of APT19 attacks, which began targeting firms in June, relied on a well-known flaw in outdated versions of Microsoft Office, according to FireEye. Vulnerabilities in outdated software were also behind the massive ransomware attacks that shut down businesses and law firms this summer.
Strong cybersecurity software is also a must. FireEye was able to detect the phishing emails “at the perimeter, before they really get a chance to do much,” according to Read. (They’re not the only ones tasked with keeping Roy Moore at a distance—but we digress.) For unknown malware, which may evade off-the-shelf anti-virus software, monitoring a firm's network for suspicious activity or anomalous user behavior can also help spot and neutralize threats.
A skeptical approach to email helps as well. While your instinct may be to respond to emails as soon as possible, particularly when rushed or overworked (so, all the time), take a moment to double check the authenticity of emails, particularly those claiming urgency with regard to financial matters or imploring you to click on a link or download an unusual file.
Finally, lawyers should look into the security measures that their vendors and software providers are using as well. (Information on Logikcull’s security can be found here.) Remember Target’s 2013 data breach? The one that compromised the credit card data of 40 million customers and cost the company more than a quarter-billion dollars? It started because of weak security at an HVAC contractor.
With a little work, a little vigilance, and a reliance on secure third parties, you should be able improve the security of your most sensitive information—and keep those Roy Moore and Hillary Clinton email scams from wreaking havoc on your firm.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.comor on Twitter at @caseycsull.
