Reprinted from the August 2016 issue of Cybersecurity Law & Strategy with permission.
By now you’ve likely read the headlines about the recent attacks on various Asian banks, resulting in cyber losses reported in the tens of billions. And if you’re really paying attention, you probably know these attacks have been linked to the Lazarus cybercrime organization, which has suspected ties to the North Korean government. Earlier this year, the Lazarus Group was also identified as the likely culprit behind the brazen attacks on Sony back in 2014. In all likelihood, you read the headlines, and then you moved on to read the latest sports scores. Why? Because it doesn’t relate to you. Or does it?
I often use this analogy when speaking with law firms about cyber risks: If I told you that thieves broke into a major bank in your town and stole cash, you wouldn’t care. If I told you that the same thieves broke into your neighbor’s house, you’d rush out and sign up for an alarm service and buy an intimidating watch dog. The point is, we only pay attention to that which we think relates to us.
And that’s the general problem with a security industry obsessed with big retail and entertainment brands splashed across headlines, and a paparazzi-like zeal for mega data breach and the resulting class action suits. Much like my analogy, most mid-market firms ignore the lesson learned by the big game bagged by cybercriminals. Smaller firms write off the cyber risk as hyperbole or misguided panic. Smaller firms don’t think they have anything worth stealing. The criminal actors use this blind spot as a way to freely move throughout the networks of modest investment funds and laws firms. They use low tech to infiltrate their victims to steal information they can resell or use to front run trades on the open stock markets. It’s a simple business model and it works: less hardened targets take less time and effort to attack, and often yield the same revenue as can be gained from larger victims.
So, let’s return to my analogy. What if the same criminal organization that robbed that major factory in your town, also broke into your neighbor’s house? They did. Lazarus, that bank swindling, Sony humiliating firm, has attacked a mid market U.S. financial company. Paying attention now?
The Enemy Is Inside the Wire
In August 2015, our Security Operations Center (SOC) detected suspicious activity originating from within a client’s network. We blocked the network transactions and alerted our client to the action, and then applied a rule across our entire security base to protect all clients from further attacks. We then submitted our rule through public forums to the broader security community.
Months later, the spate of Asian bank hacks provided evidence implicating Lazarus as the perpetrator. Television programs leave us with an inflated sense of certainty when it comes to forensic evidence left by the perpetrator at the scene of a crime. Yet, like its physical corollary, electronic crime leaves a form of DNA. This forensic fingerprint can be used to piece together common factors associated with specific criminal organizations. Think modus operandi. In this case, the August attack carried distinctive markers linking the attack to the Lazarus Group. Yes, the same Lazarus group that has taken on the South Korean government, Sony Pictures and a significant collection of Asian Banks.
We published the timeline on our blog and have subsequently briefed the FBI, U.S. District Attorney and the SEC to assist with ongoing investigations. Agencies of the U.S. government are concerned, so you should be, too.
Asset Management Funds and Law Firms: Small Companies with Big Company Problems
The client at the center of our Lazarus-based investigation is a New York-based asset management firm. The attackers didn’t target a mega-corporation, national retailer or restaurant chain. They didn’t target a prime broker or big investment bank. Instead, they focused on a mid- market company, which coincidentally offers the same profile as a law firm. And by profile, I mean that the firm holds high value assets, has a low tolerance to reputational risk and doesn’t operate a IT department the size of a national corporation or bank. Another way to summarize is to say, the targeted asset management firm, like many law firms, is a small company with big company problems.
So how does a small firm tackle the security challenges like a large firm? The first thing I tell clients is to recognize themselves as a target. You are a lucrative and soft target to smash-and-grab criminals looking for a quick profit through compromised wire transfer accounts or fraudulent invoices, or the more sophisticated criminal organizations like Lazarus.
The second thing I advise is to join the Legal Services Information Sharing & Analysis Organization (LS-ISAO). Sharing threat intelligence is one of the best defenses against cyber threats and attacks. LS-ISAO offers real-time alerts and advisories on new vulnerabilities, exploits and active attacks. With the LS-ISAO, when threats like those executed by the Lazarus Group happen, you’ll know about it. This actionable information is a critical element in your cyber defense posture, and should feed into your ongoing security awareness training.
And last, I tell clients to be vigilant. Start with a zero-trust model. Assume the bad guys are inside your network, and monitor traffic looking for indicators of compromise. When we think about the rash of mid-market bank hacks, third-party risk cannot be overlooked. It’s easy to assume that vendors would value cybersecurity just as you do, however that’s not always the case. In fact recognizing this, policy makers have placed heightened focus on third-party risk and cascading compliance requirements. Multiple banks affiliated with the string of Lazarus hacks suffered losses as a result of endpoint compromise related to their financial transaction vendor (namely SWIFT, which is a transaction vendor commonly used by financial institutions).
In an interconnected, cyber world, we need to abandon the false security based on the notion that we live in a safe neighborhood. Major organized hacks occur on native soil as frequently as they occur on the other side of the world. So, you can live in an affluent, gated community. Have no fear, the bad guys can trick you into a dark alley of their choosing. We all know that cyber threats aren’t going to go away. Cybercriminals will continue to seek out gateways into your firm’s network. With ever-increasing risk, industry borders are irrelevant. Law firms must pay attention to threats impacting all industries because while the cyberattackers may target the bank down the street this week, they could and likely will target your firm tomorrow.