Cyber Incident Victim: K&L Gates LLP

The incident involving K&L Gates was part of a wide-ranging global cyberattack that exploited a vulnerability in the MOVEit Transfer software, a file management tool developed by Progress Software. The ransomware gang known as cl0p, also referred to as TA505, was identified as the perpetrator behind this massive breach. This group, believed by researchers to be Russian-speaking, claimed responsibility for stealing data from numerous organizations, including the law firm K&L Gates LLP. The exploitation of the MOVEit software vulnerability is reported to have occurred around the Memorial Day weekend in the United States, which fell on May 29, 2023. Attacks around holidays are noted as a signature tactic of the cl0p group.

On June 28, 2023, the cl0p gang publicly posted the names of Kirkland & Ellis LLP and K&L Gates LLP to its dark web leak site. This action is typically a sign that negotiations between the victims and the hackers had broken down, suggesting that the firms did not meet the extortion demands. The hackers' claims could not be immediately verified by external sources at the time they were made. Representatives for K&L Gates did not immediately return messages seeking comment on the matter. The U.S. Department of Health and Human Services (HHS) was also confirmed to be affected by the same wide-ranging hack, though its name did not appear on cl0p's leak site. An HHS official stated that while no HHS systems or networks were directly compromised, attackers gained access to data by exploiting the vulnerability in the MOVEit Transfer software used by third-party vendors. Bloomberg reported that tens of thousands of records at HHS could have been exposed.

The scope of the incident was extensive, impacting far more than just law firms. According to cybersecurity expert Brett Callow, more than 16 million individuals may have been affected by the broader breach. The attacks hit a wide swathe of organizations globally, including universities, banks, and insurance companies. The group behind the attack, which also uses the name “Lance Tempest,” is known for demanding millions of dollars in extortion fees. In response to the group's activities, the U.S. State Department had previously placed a $10 million bounty seeking information on the group’s leader and ties to a foreign government.

The core of the incident was the compromise of the MOVEit Transfer application. cl0p was able to gain access to data by exploiting a vulnerability in this commercial software product. Organizations that used this software for secure file transfers were vulnerable to attack, allowing the hackers to exfiltrate data. For victims like K&L Gates, this meant that data belonging to the firm and its clients was potentially accessed and stolen. The specific nature and volume of data taken from K&L Gates were not detailed in the available reports. Similarly, the exact method of initial detection for the breach at the firm was not publicly disclosed.

The public response from K&L Gates was not reported in the immediate aftermath of the claims. Emails to the firm's New York offices on the weekend of July 8th were not returned, indicating a lack of public commentary at that time. The incident formed part of a larger pattern of behavior by the cl0p group, which cybersecurity firm TrendMicro described as resourceful and with little incentive to stop its extortion activities. The group continued its operations despite increased attention from law enforcement and government agencies. The long-term consequences for K&L Gates and the other affected law firms include potential reputational damage, legal implications from client data exposure, and the financial costs associated with incident response and remediation. The full impact on their clients and the specific measures taken by the firms to contain the breach were not elaborated upon in the source material.