US charges 3 Chinese hackers over malware attacks on law firms

Cyber tensions between China and US have resurfaced as American authorities brought forward criminal charges against three Chinese citizens, accused of having hacked into US-based law firms to facilitate insider trading. US authorities reportedly claim that the suspected hackers compromised the unnamed law firms' networks and servers by deploying malware and accessed classified information pertaining to various acquisition deals.

According to US prosecutors, the Chinese hacking trio raked in over $4m by placing trades in at least five company stocks, presumably using illegally accessed insider information from several undisclosed law firms. The fraudulent deals involved companies such as Intel Corp (INTC.O) and Pitney Bowes Inc (PBI.N). Despite attempting to hack seven firms, the suspects are alleged to have only infiltrated two.

"This case of cyber meets securities fraud should serve as a wake-up call for law firms around the world: you are and will be targets of cyber hacking, because you have information valuable to would-be criminals," said federal attorney Preet Bharara in a US Department of Justice release.

The case follows recent warnings issued by US authorities of law firms being vulnerable to potential cyberattacks and is the latest of its kind to involve hacking.

Stephen Boyer, co-founder and CTO of BitSight told IBTimes UK, "Legal service providers have access to a company's intellectual property, financials, strategic plans, and private employee information. In addition, law firms are one of the most widely-used third party service providers across the world. The impact of a breach on a law firm could be severe for not only the firm, but also their hundreds of clients."

According to the U.S. Securities and Exchange Commission, the three men posed as IT professionals, listing themselves as such in brokerage records.

The arrest of one of the hackers, Iat Hong, on 25 December in Hong Kong was revealed by Manhattan-based federal attorney Bharara on Tuesday (27 December). Thirteen charges are being levelled against the alleged hackers Hong, Bo Zheng, and Chin Hung — including computer intrusion and insider trading.

"The defendants targeted at least seven law firms as well as other entities in an effort to unlawfully obtain valuable confidential and proprietary information," the US Department of Justice said.

According to US prosecutors, the trio began their cyberattack campaign in April 2014, targeting email accounts of key personnel in major international US law firms. Those targeted included firm partners working on mergers and acquisitions.

The indictment revealed that the trio infected the law firms' servers with malware by using stolen employees' credentials, in efforts to gain access to emails. Reports speculate that one of the law firms affected may likely be New York-based Cravath, Swaine & Moore LLP. The firm represented Pitney Bowes in its 2015 acquisition of Borderfree Inc. In March, the firm acknowledged discovering a "limited breach" of its systems in 2015.

Boyer warned of the increasing likelihood of similar attacks in the future. "Legal firms, as a sector, are performing in line with the retail industry, which, as we have seen in the headlines, have been and continue to be targeted by attackers," he said. "In 2017, we expect to see more attacks on legal service providers, fuelled by the desire to acquire sensitive data and to attack the firm's clients. Companies cannot neglect legal services providers in the efforts to continuously monitor the security performance of their third party ecosystem."

The maximum prison sentence for each of the 13 charges ranges from five to 20 years. Following Hong's arrest on Christmas Day, he now faces extradition proceedings and is expected to reappear in court on 16 January 2017.