Lewis Brisbois Cyberattack Shows Shift in Big Law Threat

A cyberattack on Lewis Brisbois illustrates how hackers target large law firms by cold-calling remote employees.

Hackers earlier this month tried to gain access to Lewis Brisbois employees’ accounts by posing as firm IT workers in phone calls. The attack showed some of the hallmarks of recent attacks on other large firms, in which cybercriminals pivoted away from phishing emails in favor of pressuring employees to act over the phone.

“Bad actors are going toward the path of least resistance, which is unfortunately humans,” said Daniel Parziale, a cyber incident advisor.

Several Lewis Brisbois support staff members work remotely or on hybrid schedules, signing into the Lewis Brisbois computer network from their personal devices. That set up, while not uncommon for firms post-COVID, made the firm vulnerable to threat actors posing as tech experts seeking remote control of a device already accessing the firm’s virtual network, cybersecurity professionals say.

Groups such as Silent Ransom are focusing on law firms in particular, the FBI warned last month. They’re trying to bypass two-factor authentication and other security measures.

“Large law firms remain attractive targets because they maintain large swaths of juicy information,” said Jesse Lemon, a cybersecurity lawyer with The Beckage Firm. “It makes them a one-stop shop for threat actors.”

It’s not clear who was behind the Lewis Brisbois attack and whether they were able to infiltrate the firm’s network. Representatives for the firm, which has some 1,600 lawyers nationwide, did not respond to comment requests.

‘The Value of Data’

Silent Ransom Group is known for its sophisticated social engineering schemes, using psychological pressure on employees to bypass security safeguards and gain access to internal networks before quickly snatching troves of data. The goal is to extort firms into paying up for the return of the sensitive information or risk reputation damage and legal liability.

Some hacker groups look for the law firms’ cyber insurance policies and request policy limits as ransom, said Melissa Ventrone, a Clark Hill partner who advises clients on data security and privacy. Ventrone said she has heard of one law firm, which she declined to name, paying $10 million to avoid the release of hacked data.

“This threat group understands the value of the data to the law firm,” she said.

Silent Ransom, which is also known as Luna Moth, was behind recent hacks of Orrick Herrington & Sutcliffe and Fox Rothschild, according to lawsuits filed against those firms.

A Fox Rothschild lawyer became the victim of “sophisticated” social engineering, said Mark McCreary, the firm’s chief artificial intelligence and information security officer. He said the firm, which faces a class action over the breach, has since beefed up its cybersecurity protections.

“This incident was limited to a single device associated with the user involved, and there was no broader access to the firm’s systems or network,” McCreary said in an email. “Moreover, the activity was quickly mitigated and contained. We are conducting a thorough review of the data involved and will provide notice as required by applicable law.”

Orrick declined to comment, noting that a related lawsuit against the firm was quickly withdrawn.

Personal Devices Blocked

Lewis Brisbois shut off access to its internal network from employees’ personal devices after an “event” took place earlier this month, according to a June 10 email viewed by Bloomberg Law. Curtis Hendzell, the Lewis Brisbois director of information, urged employees in a June 5 email to watch out for urgent phone calls from fake IT professionals using falsified caller IDs.

“We are receiving reports from across the firm of cyber criminals calling employees, including on cellphones, posing as internal IT department personnel and falsifying caller ID, asking for urgent action to secure accounts,” Hendzell said, urging employees to hang up on and report such calls.

Restricting access to the virtual network to devices controlled by the firm adds a layer of security, said Chris Loehr, executive vice president and co-founder of threat detector Cyrenity Cyber. That makes it easier for a firm responding to a threat to pin-point a suspicious IP address.

“If they don’t have control over these employee-owned machines, their only option is to cut that off,” Loehr said. “If the VPN was part of the reason they got attacked, forcing people to come into the office rather than work from home is a pretty typical step. You want to cut off an attack vector from the bad guys and secure that VPN going forward.”

It’s common for law firms to allow employees to use their own mobile phones for work, but Loehr said he’s surprised that a massive firm like Lewis Brisbois had not already restricted access for unofficial devices.

“I know many law firms that don’t allow their employees to use personal devices and they’re perfectly OK with it,” he said. “It doesn’t look like to me, as an outside observer looking in, that they took security as seriously as they should have.”