Law firm and cyber criminals clash over source of stolen data

A dispute has broken out over the provenance of stolen data between US law firm Jones Day and the Cl0p ransomware gang after a number of the firm’s assets were leaked on the dark web.

In correspondence with the Wall Street Journal, the Cl0p gang claimed to have obtained more than 100GB of material directly from Jones Day’s servers, and said it first contacted the firm with ransom demands on 3 February 2021. Jones Day has not engaged with the gang, hence the leak.

However, the WSJ went on to report that Jones Day – which is among a number of law firms criticised for its ties to former president Trump – has denied its network was breached and insists that the data was stolen in a supply chain attack on Accellion’s legacy file transfer product, FTA, which was publicly disclosed in January 2021.

The WSJ said it had reviewed some of the leaked data and had indeed found evidence of Accellion configuration files and logs showing clear links to Jones Day.

Accellion was first informed of a zero-day vulnerability in its FTA product – which is rapidly approaching end-of-life anyway – in December 2020. It released a patch within 72 hours, but the initial incident turned out to be just the first of a series of exploits used to attack its service over the following weeks.

“Our latest release of FTA has addressed all known vulnerabilities at this time,” said Accellion CISO Frank Balonis. “Future exploits, however, are a constant threat. We have encouraged all FTA customers to migrate to kiteworks for the last three years and have accelerated our FTA end-of-life plans in light of these attacks.

“We remain committed to assisting our FTA customers, but strongly urge them to migrate to kiteworks as soon as possible.”

Other known victims of the Accellion attacks include the Reserve Bank of New Zealand (Te Pūtea Matua), the US State of Washington, and the Australian Securities and Investments Commission.

Emsisoft’s Brett Callow said: “If Cl0p published Jones Day’s data and Jones Day says the data leaked a result of the attack on Accellion, the logical conclusion would be that Cl0p was responsible for that attack – and that means they may have data relating to other Accellion customers.”

James McQuiggan, security awareness advocate at KnowBe4, said that as with the still-unfolding SolarWinds incident, cyber criminals were understandably focusing their attacks on third parties and service providers, such as Accellion, that support many customers.

“These organisations will want to review and elevate their security programs to ensure they do not suffer a breach, leading to a similar compromise,” said McQuiggan. “These attacks damage the organisation’s customers and clients and damage the reputation and possible bottom line for that organisation.

“With an organisation that provides large file transfers, one consideration for them to protect their data is to encrypt the data before transferring it and to protect it from the third-party provider. Upon delivery to the receiver, they would have the key to decrypt and view the data.”

Ilia Kolochenko, founder of Immuniweb, added: “It is highly likely that a third party or a vendor is the root cause of the alleged data breach. Cyber criminals usually start their 'shopping' by probing unprotected third parties that have access to valuable data of the victim. Currently disclosed details about the stolen data indicate that the incident has a narrow impact and only a limited number of customers and cases are affected by it. Also, even if some documents are marked as confidential or privileged, it does not necessarily mean that they still have, or ever had, this protectable status.

“This is, however, a good example where negotiations with the attackers could have minimised the damage, notably the reputational impact of the incident. Aggrieved clients and impacted third-parties may have a wide spectrum of legal claims against the law firm, spanning from violation of state privacy and data protection laws to legal malpractice. The incident deserves rapid investigation and transparent communications with the affected customers, if any.”