Cyber Incident Victim: Kirkland & Ellis LLP

The incident involving Kirkland & Ellis was part of a wide-ranging, global cyberattack that occurred on or around May 27, 2023, coinciding with the Memorial Day weekend in the United States. The attack exploited a previously unknown vulnerability in MOVEit Transfer, a commercial file management tool developed by Progress Software. The ransomware gang known as cl0p, also identified as Clop and TA505, claimed responsibility for the massive breach. This group, believed by researchers to be Russian-speaking, has a signature of conducting attacks around holidays to capitalize on potentially reduced security staffing.

The attackers successfully compromised the MOVEit software to gain unauthorized access to the data of numerous organizations that used the application for secure file transfers. Kirkland & Ellis LLP, along with other major law firms including K&L Gates LLP and Proskauer Rose, was among the victims. The hackers did not compromise the internal networks of these law firms directly; instead, they infiltrated the systems by targeting the vulnerability present in the third-party MOVEit Transfer software utilized by these organizations.

On June 28, 2023, the cl0p gang publicly claimed credit for stealing data from Kirkland & Ellis and K&L Gates by posting their names to its dark web leak site. This action is typically interpreted as a sign that any prior negotiations between the victims and the hackers had broken down and that the threat actors intended to release or sell the stolen data. The claims made by the hackers could not be immediately verified by external sources at the time of the announcement. Attempts to contact Kirkland & Ellis for comment after business hours were not immediately returned.

The scope of the incident was vast, extending far beyond the legal sector. The U.S. Department of Health and Human Services (HHS) was also affected through the same vulnerability in a third-party vendor's MOVEit software. An HHS official confirmed that while no internal HHS systems or networks were directly compromised, attackers gained access to department data by exploiting the software flaw in its vendors. Bloomberg reported that tens of thousands of records from HHS could have been exposed. The cl0p group itself did not list HHS on its leak site, consistent with its previous claims that it avoids deliberately targeting government organizations, though this does not preclude government data from being compromised indirectly.

In total, the attack impacted a wide swathe of organizations globally, including universities, banks, and insurance companies. A cybersecurity expert, Brett Callow, estimated that more than 16 million individuals may have been affected by the overarching data breach. The ransomware gang, which communicates under the name “Lance Tempest,” is known for demanding multimillion-dollar extortion fees from its victims. In a related action, the U.S. State Department had previously placed a $10 million bounty for information on the group’s leaders, seeking to tie their activities to a foreign government.

The response to the incident involved the identification of the software vulnerability by its developer, Progress Software, which subsequently issued patches. Affected organizations, including Kirkland & Ellis, would have needed to apply these patches to their MOVEit Transfer installations to prevent further exploitation. The public disclosure of the firms' names on the cl0p leak site indicated that the incident had progressed to a stage where data theft was claimed and the threat of public release was imminent. The specific nature of the data stolen from Kirkland & Ellis, the number of records involved, and whether a ransom was demanded or paid were not disclosed in the available reports. The full impact on the firm's clients and the exact consequences of the data breach remain undetermined based on the provided information. The incident highlights the significant risk posed by vulnerabilities in third-party software supply chains and the continued operational threat from sophisticated ransomware groups.