Cyber Incident Victim: HWL Ebsworth

On or around March 31, 2023, the Russia-linked cybercriminal group ALPHV, also known as BlackCat, executed a significant cyber incident targeting the Australian law firm HWL Ebsworth. The group, which is believed to be composed of former members of the DarkSide and BlackMatter groups, employs a strategy known as "big game hunting," focusing on high-value targets to extort large ransoms. The firm first became aware of the incident on Friday, March 31, when an unauthorized third party claimed to have taken a significant amount of data. The hacking group publicly claimed responsibility for the breach, stating it had successfully exfiltrated approximately four terabytes of data from the law firm's servers. This stolen data was described as encompassing a vast range of sensitive internal and client information.

The scope of the data theft was extensive. According to ALPHV's claims, the compromised data included internal company files and personal employee information such as CVs, identification documents, financial reports, accounting data, loans data, and insurance agreements. The breach also extended to client documents, which allegedly contained loan data, credit card information, and other financial data. Furthermore, the attackers claimed to have obtained a complete mapping of the law firm’s internal networks, including system credentials. To substantiate their claims, ALPHV posted a number of sample documents on their dark web victim site. One of these sample documents appeared to have been drafted by another law firm, Ashurst, indicating the potential exposure of legally privileged material. The client list exposed in the breach was significant, having included major Australian government entities and large corporations over the preceding five years, such as the Reserve Bank of Australia, the Australian Electoral Commission, the Department of Parliamentary Services, the Australian National University, Qatar Airways, BT Financial Group, First Quantum Minerals, and Chevron’s Puma Energy petrol station network.

Upon discovery of the claims, HWL Ebsworth acted quickly to initiate its response. The firm engaged third-party cybersecurity experts to assist in determining the validity of the hackers' claims and to investigate the potential impact. The firm’s initial public statements emphasized that the privacy and security of client and employee information were of the utmost importance. They also stated that, at that time, there was no evidence that any third party was currently accessing their systems and no signs of ransomware encryption had been detected on their network. This suggested the primary attack vector was data theft and extortion rather than a disruptive encryption event. The firm officially notified the Australian Cyber Security Centre (ACSC) and began working with the government agency as part of its response. HWL Ebsworth assured stakeholders that its operations were not impacted and that it continued to provide service to its clients while the investigation was ongoing.

The group ALPHV is considered one of the most sophisticated and prolific threat actors targeting Australian organizations. Cybersecurity analysts noted that approximately forty percent of the attacks executed by ALPHV in Australia have been against professional services firms. This targeting is deliberate, as these firms are assessed by threat actors as holding highly sensitive information that can be effectively leveraged for extortion. The group uses multiple strategies to gain initial access to victim networks, including exploiting known software vulnerabilities and employing a technique involving malicious Google ads. Since its emergence in late 2021, ALPHV has focused intensely on harm maximization. A notable tactic pioneered by the group was the release of stolen data onto the public internet, not just the dark web, and in a searchable format. This approach significantly lowers the barrier for public access to the stolen information, thereby increasing the potential harm and reputational damage to the victim organization and increasing pressure to pay a ransom.

The potential consequences of the breach were severe due to the highly sensitive nature of the data held by a major legal partnership. Access to such a large quantity of internal and client data could have wide-ranging repercussions, including identity theft, financial fraud, and the exposure of confidential legal strategies and privileged communications. The compromise of network maps and credentials also posed a secondary threat, potentially enabling further attacks against the firm or its clients. The ACSC, which operates within the Australian Signals Directorate, maintains a firm policy advising companies never to pay a ransom. This advice is based on the understanding that there is no guarantee cybercriminals will decrypt files or delete stolen data after payment is made, and there is a significant chance that files may not be recoverable even if a ransom is paid. The investigation by HWL Ebsworth and its third-party experts continued with the focus on verifying the exact scope of the data theft and identifying all affected parties. The firm committed to providing further updates to its stakeholders as new information became available throughout the process.