Australian Govt Govt holds crisis talks over Russian cyber-attack on major law firm

The federal government is in crisis talks to determine what data has been stolen by Russian hackers after major law firm HWL Ebsworth was compromised in a cyber-attack.

The law firm has contracts across 40 government departments and agencies including defence and foreign affairs, worth tens of millions of dollars.

Watch news report


Backgrounfd from IT wire website

It is more than somewhat ironical that HWL Ebsworth, the Australian law firm that is reeling after a ransomware attack that led to massive data theft, has a slogan on its website saying, “We’re not your typical law firm”.

The company also says “The traditional law firm model is tired. This is its wake up call”. Observers would heartily agree with both slogans, given that the typical law firm is definitely not struggling to cope with the after-effects of such a huge theft of data.

On Monday, HWLE sought, and obtained, an injunction from the Supreme Court of NSW, preventing both the attackers and the media from publishing details about the intrusion. It informed many media organisations about this on Tuesday; as iTWire was not included, I wrote and requested a copy of said email. There was silence from the law firm.

But in seeking that very injunction, HWLE had to provide a lot of detail in affidavits to said court, and the Australian Financial Review has milked this trove of information to tell world+dog a lot more about the company that would have otherwise been put out there had it not tried to use legal means to curb the flow of information.


The AFR’s Sam Buckingham-Jones and Michael Pelly, in two articles on 14 and 15 June, have provided ample detail to satisfy even the most ardent voyeur. 

For those who haven’t heard of this attack, HWLE was hit by the Alphv ransomware gang sometime in April. The attackers then tried to negotiate a ransom of US$4.6 million (A$6.8 million) or US$4 million in the Monero digital currency.

Buckingham-Jones and Pelly have the gory details of the negotiations here, and it is well worth a read. One additional detail: the entry point for Alphv was a personal computer belonging to a staff member.

As to the information that was available for pilfering, there was government information, confidential information about corporate clients, and personal data from hundreds of clients going back five years, according to the affidavits.

Given that the injunction was obtained from an Australian court, iTWire asked another law firm, Corrs Chambers Westgarth, about how useful it would be in stopping someone in a foreign location from doing what he/she liked with the data.

Michael do Rozario, partner and cyber security expert at this company, replied: “All Australian Supreme Courts have ample jurisdiction to issue injunctions to foreign defendants when the claim is founded on a cause of action arising in Australia.

“The NSW Supreme Court has jurisdiction on matters that can be connected to NSW. It does not matter whether the defendant is physically in the state or the country.

“In relation to a case like this, the NSW Supreme Court clearly has jurisdiction to issue the injunctions that were obtained by HWLE and there is no relevant geographical limit.

“The extension of the orders to viewing or publication of the stolen data by third parties is a sensible move, attempting to limit the publication of the stolen data in the media and on the Internet.

“It will dissuade most law-abiding media companies, websites and news services from publishing the stolen data (or links to it) and commercial data hosting sites will have regard to the orders, and take down the stolen data on request, if a person attempts to use commercial hosting/cloud to publish the stolen data.

“That is not to say that criminals will necessarily be dissuaded from publishing the data on the dark web, but by obtaining these orders HWLE has taken a sensible step to limit the access to the stolen data.”

As iTWire has already reported, a seasoned ransomware researcher, Brett Callow of the New Zealand-based security firm Emsisoft, is of the opinion that such an injunction is unlikely to trouble the attackers in any way.