Reuters reported in late June that thousands of email records it had uncovered showed cyber spies hacking into parties and law firms involved in lawsuits around the world.[1] Apparently, hired spies have become a weapon of litigants looking for an advantage. Google’s Threat Analysis Group (TAG) describes this segment of attackers as “hack-for-hire” firms who take advantage of known security flaws to compromise accounts and exfiltrate data as a service.[2] As found in the Reuters investigation, law firms who handle high-profile or high-dollar litigation matters are particularly at risk for such attacks.

WHO IN THE HECK IS SUMIT GUPTA?

Sumit Gupta is a cybersecurity expert who worked with a group of associates in India to build an underground hacking operation that became a center for private investigators who were looking to bring an advantage to clients in lawsuits.[3] In 2020, Mr. Gupta told Reuters that while he did work for private investigators, “I have not done all these attacks.”[4] However, during its investigation, Reuters identified 35 legal cases since 2013 in which hackers from India attempted to obtain documents from one side or another of a courtroom contest by sending them password-stealing emails. The messages often looked like innocuous communications from clients, colleagues, friends or family. For example, some emails appeared to be from Facebook and contained a link to view a “private message” from a friend.[5] Others appeared to be from news sites and contained what appeared to be links to legitimate news stories. The purpose of the emails was to allow the hackers access to the targets’ inboxes, which they would then search for private or attorney-client privileged information. At least 75 U.S. and European companies, 36 advocacy or media groups and numerous Western business executives were targets of these hacking attempts.[6]

HOW RELIABLE IS THE REUTERS REPORT?

The Reuters report was based on interviews with victims, researchers, investigators, former U.S. government officials, lawyers and hackers, plus a review of court records from seven countries. It drew on a unique database of more than 80,000 emails sent by the hackers to 13,000 targets over a seven-year period.[7] The database is effectively the hackers’ hit list and shows who the cyber spies sent thousands of phishing emails to between 2013 and 2020. As surprising as it was to learn these cyber mercenaries exist, it is perhaps even more surprising to learn that this activity has been going on since at least 2013. It is alarming how this flew under the radar for so long.

The data supporting the report came from two providers of email services the spies used to carry out their espionage campaigns. Why would they cooperate? It seems the providers gave Reuters access to the material after it asked about the hackers’ use of their services; they offered the sensitive data on the condition of anonymity. Reuters then vetted the authenticity of the data with cybersecurity experts, including Scylla Intel, British defense contractor BAE, U.S. cybersecurity firm Mandiant and technology companies LinkedIn, Microsoft and Google, who all analyzed the emails. Each of these firms confirmed the database showed hacking-for-hire activity from India by comparing it with previously gathered data on the hackers’ techniques. The teams at Mandiant, Google and LinkedIn found the spying activity was linked to three companies, all of whom were linked to Mr. Gupta.[8] “We assess with high confidence that this data set represents a good picture of the ongoing operations of Indian hack-for-hire firms,” said Shane Huntley, head of Google’s cyber threat analysis team.[9]

WERE LAW FIRMS VERIFIED AS TARGETS OF THESE ATTACKS?

Reuters sent requests for comment to each email address that was attacked and communicated with more than 250 individuals. Most who responded said attempted hacks took place either before anticipated lawsuits or when litigation was ongoing.[10] The hackers tried to access the inboxes of about 1,000 attorneys at 108 different law firms. Among the law firms targeted were global practices, including U.S.-based Baker McKenzie, Cooley, and Cleary Gottlieb Steen & Hamilton. Major European firms, including London’s Clyde & Co. and Geneva-based arbitration specialist LALIVE, were also hit.[11] These firms declined to comment or did not return messages, which is not surprising. Their failure to respond to the Reuters investigation is not to say that no action was taken, as we suspect that defenses against such attacks were expeditiously fortified.

WHAT WERE THE SPIES AFTER?

The Reuters investigation found the legal cases targeted varied in profile and importance, from personal disputes to those involving multinational companies with a lot of money at stake. From London to Lagos, at least 11 separate groups had their emails leaked publicly or introduced as evidence mid-trial. In several cases, court records showed stolen documents affected the verdict.[12] Not surprising, but quite alarming. “It is an open secret that there are some private investigators who use Indian hacker groups to target opposition in litigation battles,” said Anthony Upward, managing director of Cognition Intelligence, a UK-based countersurveillance firm.[13]

WHO HIRED THESE HACK-FOR-HIRE FIRMS?

In 2013, Ryan Blair, a Silicon Valley direct sales entrepreneur, asked his bodyguard to find “compromising material” on Ocean Avenue, a rival company against whom his diet shake company had filed a series of lawsuits. The bodyguard retained a private investigator who then hired Mr. Gupta’s firm to hack Ocean Avenue executives’ emails. Ocean Avenue ultimately learned of the attacks and filed a federal lawsuit alleging extortion, intimidation and hacking against Blair’s company, which resulted in an undisclosed settlement. The bodyguard and the investigator who hired Mr. Gupta were charged by the FBI with hacking and pleaded guilty to their role in the attacks. Mr. Gupta was also charged by the FBI but to date has not been apprehended.[14]

According to the Reuters story, the FBI has been investigating others who may have hired Mr. Gupta or his company to hack American targets since 2018 but has not brought any further charges.[15] Although the data obtained by Reuters uncovered the targets and methods of these hacks, the data doesn’t answer key questions, such as who hired the hackers, whether the hacks were successful or even if any stolen information was used.

WHAT RISKS DO LAWYERS FACE FROM THESE HACK-FOR-HIRE ATTACKS?

There are obvious risks for criminal and civil liability for lawyers if they were to hire a hack-for-hire firm or use information obtained from these firms or if sensitive, private information regarding clients or parties is compromised.[16] However, these hacking schemes particularly put attorneys at risk for disciplinary action and malpractice claims for violating duties imposed by the rules of professional conduct. Of course, attorneys who hire these firms or who obtain or rely on information they knew or should have known was obtained by such hacks would clearly violate the rules of professional conduct.[17] But the chief concern for most lawyers should be the risk for discipline or malpractice if sensitive or privileged information is compromised.

Attorneys have ethical duties to take reasonable measures to safeguard client information.[18] These duties are sometimes a challenge to attorneys because “most are not technologists and often lack training and experience in security.”[19] Several ethics rules specifically address the lawyer’s duties to safeguard client information, including competence (Rule 1.1), communication (Rule 1.4), confidentiality of information (Rule 1.6) and supervision (Rules 5.1, 5.2 and 5.3). The rules of professional conduct specifically impose a duty for lawyers to be aware of and safeguard against risks associated with technology.[20]

As noted in the ABA’s 2021 Legal Technology Survey Report, the rules of professional conduct require attorneys regarding the use of technology to:

1) Employ competent and reasonable measures to safeguard the confidentiality of information relating to clients,

2) Communicate with clients about attorneys’ use of technology and obtain informed consent from clients when appropriate and

3) Supervise subordinate attorneys, law firm staff and service providers to make sure they comply with these duties.[21]

Therefore, it is important for lawyers and law firms to become educated about potential hacking activity and what steps can be taken to prevent it.

HOW CAN LAWYERS AND LAW FIRMS GUARD AGAINST HACK-FOR-HIRE SCHEMES?

The first line of defense for attorneys is to educate themselves, other attorneys and staff in their firms, and even their clients, about the tactics of hack-for-hire firms and the types of emails used in their schemes. A good place to start would be to check out Reuters’s “Hacker Hit List,” which shows how the mercenary hackers hunted lawyers’ inboxes in the emails obtained during its investigation.[22] Techniques for breaking into attorneys’ emails varied. The hit list shows the hackers imitated services such as LinkedIn or YouPorn and the subject lines the hackers used to entice their targets. The hackers tried to rouse attorneys’ interest with news about colleagues or subject lines with weird or scandalous news. Sometimes the hackers impersonated social media services or even porn sites.[23] It is probably a good idea for lawyers to look at the hit list so they can instruct employees on what the emails looked like – law firm cybersecurity training should always be top of mind for law firms. Users must also be educated on how they must be careful to avoid clicking on any links in an email from an unknown source or that have not been authenticated as genuine.[24]

Other important defenses include the use of email spam filters, multi-factor authentication and enabling advanced protections on email accounts.[25] And let us not forget what makes cybersecurity experts tear their hair out: applying security patches and updates quickly upon their release. Users should always update their devices, operating systems and software promptly. Finally, for larger firms or attorneys handling high-profile or high-dollar cases, it is recommended they have an outside cybersecurity firm perform a security assessment.

---

ABOUT THE AUTHORS

Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. Ms. Nelson is a co-author of 18 books published by the ABA. She may be contacted at snelson@senseient.com.

 

 

 

 

John W. Simek is the vice president of Sensei Enterprises Inc. He is a certified information systems security professional (CISSP), a certified ethical hacker (CEH) and a nationally known expert in the area of digital forensics. He and Ms. Nelson provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm. Mr. Simek may be contacted at jsimek@senseient.com.

 

 

 

 

Michael C. Maschke is the CEO/director of Cybersecurity and Digital Forensics of Sensei Enterprises Inc. He is an EnCase-certified examiner, a certified computer examiner (CCE #744), a certified ethical hacker and an AccessData-certified examiner. He is also a certified information systems security professional. Mr. Maschke may be contacted at mmaschke@senseient.com.

 

 

 

 

---

ENDNOTES

[1] Rachel Satter and Christopher Bing, “A Reuters Special Report: How mercenary hackers sway litigation battles” (June 30, 2022), https://reut.rs/3UjTGD2.

[2] Shane Huntley, “Updates from Threat Analysis Group (TAG): Countering hack-for-hire groups” (June 30, 2022), https://bit.ly/3DXNCL0.

[3] Satter, supra note 1.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id.

[13] Id.

[14] Id.

[15] Id.

[16] Two of the most relevant statutes are the Computer Fraud and Abuse Act (18 U.S.C. §1030) and the Stored Communication Act (18 U.S.C. §121), which make it unlawful to intentionally access emails or information stored remotely on servers without permission from the account holder. There are too many statutes and regulations to provide a comprehensive list, but the Texas Lawyers’ Insurance Exchange website has a good summary of state and federal laws and regulations related to law firm data security breaches (or links where to find them). See Jet Hanna, “The Risk of Data Breaches in Law Firms” (accessed Oct. 21, 2022), https://bit.ly/3FGU9uV.

[17] Rule 8.4 of the ABA Model Rules of Professional Conduct (which has been adopted in Oklahoma) provides:
Maintaining The Integrity Of The Profession
Rule 8.4 Misconduct
It is professional misconduct for a lawyer to:
1) violate or attempt to violate the Rules of Professional Conduct, knowingly assist or induce another to do so, or do so through the acts of another;
2) commit a criminal act that reflects adversely on the lawyer's honesty, trustworthiness or fitness as a lawyer in other respects;
3) engage in conduct involving dishonesty, fraud, deceit or misrepresentation…

[18] David G. Ries, ABA Tech Report 2021 (Dec. 22, 2021), https://bit.ly/3WlfH6e.

[19] Id.

[20] Comment 6 to Rule 1.1 of the Oklahoma Rules of Professional Conduct provides that the duty of competency includes the duty to “maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject, including the benefits and risks associated with relevant technology.”

[21] Ries, supra note 16.

[22] Satter, supra note 1.

[23] Id.

[24] Cedric Pernet, “The business of hackers-for-hire threat actors” (July 1, 2022), https://tek.io/3Wlgiou.

[25] Ries, supra note 16.