Cyber Incident Victim: Casepoint

Casepoint, a U.S.-based provider of a legal discovery platform for litigation, investigations, and compliance, initiated an investigation into a potential cybersecurity incident on May 30, 2023. The company, which serves high-profile clients including the U.S. Courts, the Securities and Exchange Commission (SEC), the U.S. Department of Defense (DoD), Marriott, and the Mayo Clinic, activated its incident response protocols and engaged an external forensic firm to assist with the investigation. This action was taken in response to claims made by hackers that they had compromised the legal technology platform. The company’s chief technology officer, Vishal Rajpara, confirmed these initial response steps but declined at that time to elaborate on the nature of the incident.

The ALPHV ransomware gang, also known as BlackCat, publicly claimed responsibility for the attack against Casepoint. The Russia-linked cybercrime group listed Casepoint on its dark web leak site, asserting it had successfully stolen two terabytes of sensitive information from the organization. The hackers claimed the stolen data included information from U.S. government clients and contained “many other things you have tried so hard to keep.” Samples of the exfiltrated data, which were reviewed by journalists, included sensitive health information from a hospital based in Georgia, a legal document, a government-issued identification card, and an internal document allegedly issued by the Federal Bureau of Investigation (FBI). The FBI did not provide public comment on the alleged theft of its document.

Following Casepoint's confirmation that it was investigating a potential incident, the ALPHV gang published an additional update on May 31. In this update, the threat actors shared what appeared to be login credentials for Casepoint’s internal systems, further supporting their claims of access. Despite these claims and the publication of data samples, Casepoint stated that its operations remained fully functional and that it had experienced no disruption to its services for its clients. The external forensic firm engaged by Casepoint was actively running scans and deploying advanced endpoint detection and monitoring tools across the company's systems to look for any signs of suspicious activity.

Throughout the initial phase of the investigation, Casepoint officials were circumspect in their public communications. Vishal Rajpara declined to confirm whether the company had received any communication from the ALPHV group, such as a ransom demand. He also declined to state whether the company possessed the technical capability to determine precisely what data, if any, had been accessed or exfiltrated from its systems. The company's public position was that it was early in its investigation and it was committed to keeping its client base informed as more information became available through the forensic process. The primary focus was on the ongoing digital forensic analysis to establish the facts of the incident.

The ALPHV ransomware gang involved in the incident has a history of targeting large organizations. Prior to the Casepoint incident, the group had claimed attacks against other significant entities, including Amazon-owned video surveillance company Ring and NextGen Healthcare, a U.S.-based electronic health record software provider. The group's leak site was also used to host data stolen in an attack against Western Digital, although the hackers responsible for that particular breach claimed they were not formally affiliated with the ALPHV gang. Other previous victims of the ALPHV ransomware operation included Bandai Namco, the global aviation services provider Swissport, and the Munster Technological University in Ireland. The attack on Casepoint represented a continuation of this pattern of targeting organizations that hold large volumes of sensitive data. The potential compromise of data belonging to government agencies and major corporations highlighted the significant risk associated with the breach, given the legal and often highly confidential nature of the information processed by the Casepoint platform. The investigation continued in order to determine the full scope and impact of the potential data theft.