The Jones Day Firm Data Breach

Article Provided by Ron Bush

Ron Bush Consulting, Inc.

2020 was the year that was.  Was what?  It started off with a bang before the Coronavirus and COVID-19 became household words.  Marriott’s breach of 5.2 million compromised guest accounts and Twitter’s breach compromised accounts of Barack Obama, Jeff Bezos, and the like.  It ended with an explosion in December that included discovery of the largest known breach to date, the SolarWinds breach which affected many federal government agencies, much of the Fortune 500, and a yet-to-be-determined number of enterprise organizations.  SolarWinds’ Orion served the enterprise market and had 18,000 customers.  December 2020 also saw the largest reported ransomware payout of $34 million by Foxconn.  Add the increased cybercrime activity due to the pandemic-forced Work from Home new normal and you have the makings of a cataclysmic, cybercrime-ridden year.

But as the old knife commercials once urged, “Wait, there’s more!”  Not initially as well publicized as the above events, a company that works with large organizations called Accellion out of Palo Alto, California offers a software known as File Transfer Appliance (FTA) reported an attack that they discovered in December 2020 and is now reported to have lasted into January.  The software is twenty years old and scheduled to be retired in April.

When companies need to move copies of files from one computer to another over the internet, one of the oldest network protocols still in use is a commonly used program, File Transfer Protocol (FTP).  Free software versions exist on the web and inexpensive software and FTP appliances can be found, but for large organizations both capacity and security compete for primary importance and so enter a company like Accellion which specializes in this service.

Accellion reports that they have over 3,000 customers but it is unclear how many were affected by this breach.  It has been reported that only 10% of those clients use FTA but recently University of Colorado (click here to see announcement) announced that they were affected by the attack and published a list of the others affected and the list appears to be growing.  Some we know of like Kroger’s, which report that some but not all of their data might be affected but instead some HR data, money services records and pharmacy records.  Kroger is the largest grocery store chain in the U.S.  The state of Washington Auditor’s office reports that some 1 million applicants for unemployment benefits might be affected.  New Zealand’s central bank even reported some of its files stolen in the attack.

Among many others affected by the breach are the well-known law firms, Goodwin Proctor and Jones Day.  Both are very successful international law firms.  Goodwin Proctor was founded in 1912 in Boston, MA while Jones Day was founded in 1893 as Blandin & Rice and base in Cleveland, OH.  have histories of representing high profile and sometimes controversial clients even extending Donald Trump as of late.

The obvious question arises, was the target Jones Day and Goodwin Proctor?  Is this a trend among law firms or are there other concerns?  Jones Day and Goodwin Proctor are not the only law firms to be breached.  In 2020 alone Seyfarth Shaw suffered a ransomware attack in October.   Also in October, Fragomen, Del Rey, Bernsen and Loewy, a New York firm confirmed a data breach involving personal information of Google employees.  In November it was reported that the New York City Bar Association, the Chicago Bar Association and the law firm and Cadwalader, Wickersham & Taft had all experienced data breaches.

To look at it from the cybercriminal’s perspective, who better to steal data from than law firms and accounting firms?  Both have an abundance of data that in the wrong hands can be very profitable, but law firms also have confidential information on their clients and strategies on cases.  Think of all the inside information contained in your own files and you begin to understand how valuable your files are to the criminally minded, especially if one of your clients is Donald Trump or another recognized name.

As of this writing, we do not yet know who might have executed the attack.  Although no group has yet claimed responsibility, researchers have speculated that it might be one of two known groups.  The well-known cybersecurity firm FireEye (click here for their blog article), which was also a victim in the SolarWinds breach reported back in December, is working with Accellion and has identified a criminal hacking group “UNC2546.”  While not a catchy name, the UNC stands for “UNClassified” to differentiate it from the more common APT (advanced persistent threat), which is usually assigned to better known nation state groups like the Chinese affiliated APT31.  As an aside, this group has recently been reported to have used a hacking tool allegedly stolen by the hacking group calling itself “The Shadow Brokers” from the NSA in 2016.  The surprising thing is that they were using it two years before the breach which would indicate they stole it earlier and kept it hidden for themselves.

Another group known as CLOP (also known as CL0P with a zero instead of an O and various additional spellings) claims to have acquired 100 GB of data and leaked some of it in a separate breach on Jones Day’s servers, however Jones Day refutes that saying that the leaked data is a result of the Accellion hack.  CLOP may have ties to FIN11, a cybercriminal group that is often involved in high dollar crimes.

If this is starting to get confusing, do not be surprised.  First off, we are dealing with cybercriminal groups which often obfuscate evidence of their crimes, even planting evidence to incriminate rival gangs or other countries.  Sometimes they will confuse the scene of the crime well and then decide to take credit for the crime.  After all, they are criminals and one cannot expect honesty or even logical actions from them.

Second, since their freedom often depends on not being exposed, they often use various names, some names are applied to them by cybersecurity researchers and sometimes criminal groups band and disband over time and even take names from previous groups for a variety of reasons.

ClassAction.org has recently posted that Accellion is facing a class action suit over this breach which has been filed in California federal court accusing Accellion of being guilty of “negligent or careless acts and omissions.”  The article further quoted the lawsuit, “By obtaining, collecting, using, and deriving a benefit from Plaintiff’s and Class Members’ [personally identifiable information], Defendant assumed legal and equitable duties to those individuals.”

In an article by Stacy Cowley, www.money.cnn.com March 2, 2012, titled “FBI Director: Cybercrime will eclipse terrorism” Robert Mueller is reported to have stated that, “There are only two types of companies: those that have been hacked, and those that will be.  Even that is merging into one category: those that have been hacked and will be again.”  One would be hard pressed to find words more accurately describing where we are today than these.

The question now is what can you do about it?  This article is the first of a series that will give you practical advice on how to protect your business, your clients and employees.  The first three steps to a more secure business are commonsense that everyone can easily do, yet most do not.

The amount of prep work involved to avoid a breach may seem overwhelming, but it begins with education.  Every employee needs to be familiar with good computer hygiene.  Since the pandemic has reminded everyone of the three basics, let’s modify them for our purposes:

Frequent handwashing with soap	Passwords: Long, Strong and Unique; change often; MultiFactor Authentication
Mask Up when around others	Update Software and Firmware as available
Six Feet Social Distancing	VPN

• Everyone uses passwords for just about everything. Think of it as your first line of defense. You can have the strongest walls around you but if the doors and windows are open then the invading army will enter through those. The only way to stay on top of them without writing them down is to use a password management application like LastPass or Dashlane. It is one of the least expensive things you can do to protect your data.  At a minimum all of your passwords should:
  1. Be sixteen characters or longer, a random generated mix of upper and lower case, numbers and special characters. With today’s processing power and speeds password cracking software can crack the average password in seconds.
  2. Don’t use the same password twice, anywhere, anytime.
  3. Change the important ones every 30-45 days, and all of them once per quarter.
  4. Use multifactor authentication when possible. It is like a deadbolt on the front door of your data.
• Some of the largest and most destructive data breaches have occurred because the organization did not keep up with patches. Every month Microsoft issues updates to its products that are almost always entirely security patches, usually called Patch Tuesday—fixing vulnerabilities that are used or can be used by cybercriminals to deploy viruses.  Every Patch Tuesday is followed by Wednesday when cybercriminals who also received their Microsoft updates now know where the vulnerabilities are and modify their armory of exploits to use the new-found hole.  To be sure, most of the time those holes are well-known by the bad guys, it just points the less competent criminals in the most profitable direction for them.  When you don’t update your computers, mobile devices, routers and switches, you leave your equipment and your data vulnerable to every cybercriminal that finds you.  Think of the Equifax breach that occurred between May and July 2017 by China’s People’s Liberation Army according to the U.S. Department of Justice and the Federal Trade Commission affecting 148 million Americans.  Had Equifax promptly applied the patch to their Apache servers in the preceding March as was urged by the Apache Software Foundation that oversees the open-source web application, the breach would not have happened.  Almost everything that connects to the internet or is used in your network uses software to make it work.  You need to keep that software up to date or your data remains at risk for issues that have already been resolved.  Most companies employ other companies to do this for them, but it cost you nothing but time if you do it yourself.  Either way, it is very inexpensive protection.
• Use a Virtual Private Network (VPN). As with he previous two steps, the cost of a VPN is minimal and easy to administer.  An easy way to understand what a VPN does is to imagine you are heading home for the day but are being followed by some shady characters and you don’t want them to follow you home, so you take a bus or cab to the police station instead.  When they see you enter the police station they stop following you for obvious reasons.  A VPN is like a tunnel between you and a secondary location that masks your home address, in this your IP address.  Any time you are connected to a network or the internet in any way, you are assigned an IP address.  Think of it as your home address.  By using a different IP address cybercriminals that are looking for your IP address or just large amounts of data will not be able to trace your data transmission activities to you.  Any data transmission will appear to be associated with the VPN service provider of your choice.  You will want to choose a provider who:
  1. Has servers all over the world so that you can choose which location you want to broadcast from. Let’s say you’re in Europe—doesn’t matter if vacation or business if you use anything to connect to the internet.  You may not want to broadcast to the world that you are out of the country.  Social engineers that use spear phishing techniques would love to know that.  Also, if you are in the eastern part of Europe you may have difficulty getting a private line, meaning that no matter how you connect to the internet someone else may be on the connection with you.  A VPN with servers in Chicago will make it appear as though you are in Chicago.
  2. Encrypts all of your data. If you are using the hotel Wi-Fi (I strongly recommend against this) you will most likely be using what we used to call a party line.  The connection will be shared by others who will want the same access to your data that you have.  If all of your data is encrypted this minimizes the ability of others to access your data.
  3. VPNs also gives you a level of anonymity on the internet because your activity will be associated with the VPN’s IP address—not yours. Searching for information on your client?  If you aren’t ready to announce it to the world then you should be using a VPN.  Everywhere you go is known and recorded by your internet service provider and your browser as well as the websites you visit.  When they are hacked that information becomes the property of the criminal who hacked them who may choose to use it against you or sell it to some other criminal who will use it against you.

As you can imagine, there are many additional things to look for before purchasing a VPN service but here are three valid reasons for beginning the search.

In our next installment, we will look at three things you need to be doing to protect your office network.  Whether your office is at home these days or elsewhere, these steps to securing your data are significant to avoid being the next headline.