‘Big game hunting’ hackers ALPHV claim major breach of law firm HWL Ebsworth

A HWL Ebsworth spokesman said the firm became aware on Friday of an unauthorised third-party claiming it had taken a significant amount of data from the firm.

“The privacy and security of our client and employee information is of the utmost importance to us,” he said.

“As soon as we learnt of this potential incident, we acted quickly to respond to the threat and have been working with third-party experts to determine the validity of the claims, and to ensure the ongoing safety and security of our systems.”

HWL Ebsworth has notified, and is working with, the Australian Cyber Security Centre.

“At this time, we are still determining the credibility of the claims made and the potential impact to any data,” the spokesman said.

“There is no evidence that any third party is currently accessing our systems and no signs of encryption have been detected.

“We will continue to provide updates to our stakeholders, as appropriate, as new information becomes available. While investigations are ongoing, our operations are not impacted, and our focus remains on providing exceptional service for our clients to the high standards of our firm.”

If ALPHV proves to have the documents it says it obtained, it would have access to some of HWL Ebsworth’s most sensitive and valuable data. It could have repercussions for other law firms that have faced HWL Ebsworth; one of the sample documents released by ALPHV, for example, appears to have been drafted by Ashurst.

Katherine Mansted, director of cyber intelligence and public policy at CyberCX, said ALPHV have a strategy of “big game hunting” with 40 per cent of the attacks it has executed in Australia being on professional services firms.

data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″ data-srcset=”https://static.ffx.io/images/$zoom_0.236%2C$multiply_3%2C$ratio_1%2C$width_378%2C$x_500%2C$y_132/t_crop_custom/c_scale%2Cw_240%2Cq_88%2Cf_auto/2caa54263d70b7fab11e8ee0e03748bcc28c4616, https://static.ffx.io/images/$zoom_0.236%2C$multiply_3%2C$ratio_1%2C$width_378%2C$x_500%2C$y_132/t_crop_custom/c_scale%2Cw_480%2Cq_52%2Cf_auto/2caa54263d70b7fab11e8ee0e03748bcc28c4616 2x” data-pb-im-config=”{"aspectRatio":1,"type":"square1x1","width":240,"urls":["https://static.ffx.io/images/$zoom_0.236%2C$multiply_3%2C$ratio_1%2C$width_378%2C$x_500%2C$y_132/t_crop_custom/c_scale%2Cw_240%2Cq_88%2Cf_auto/2caa54263d70b7fab11e8ee0e03748bcc28c4616"," https://static.ffx.io/images/$zoom_0.236%2C$multiply_3%2C$ratio_1%2C$width_378%2C$x_500%2C$y_132/t_crop_custom/c_scale%2Cw_480%2Cq_52%2Cf_auto/2caa54263d70b7fab11e8ee0e03748bcc28c4616 2x"]}”/>

“They’re one of the most prolific threat actors in Australia and have been for some time since they first emerged on the scene. We have observed them compromise at least 14 Australian organisations and a lot of those are in the professional services sector,” she said.

“It’s been quite deliberate about the targets that it attacks; professional services in a sector that ALPHV assesses as having some pretty sensitive information that it can hold at risk.”

Ms Mansted said ALPHV, which is believed to be made up of former members of cybercriminal groups DarkSide and BlackMatter, has focused intensely on harm maximisation since the group appeared in late 2021.

“They were the first to release stolen data onto the public internet, not just the dark web, in a searchable form,” she said. “The reason they do that is it maximises the harm of data that’s stolen because there’s fewer barriers for ordinary everyday citizens with low tech expertise to be able to read and access the stolen information.”

The ACSC, which sits within the Australian Signals Directorate, advises companies never to pay a ransom as there is no guarantee cybercriminals will decrypt files once the ransom is paid, and there is a chance files may not be recoverable.