Get in Touch
Legal Sector – Threat Intelligence Outlook 2024
Published: 29th January 2024 | In: Insights
Cybercriminal Operations
Overview
It has been assessed to be highly likely that financially motivated cybercriminal cartels will pose the greatest threat to the legal industry throughout 2024. This assessment has been made based on organisations within the sector having undergone significant digital transformation, thereby presenting greater attack surfaces for cyber threat actors to target.
Within this context, ransomware operations will likely remain as the top attack vector implemented against law firms due to the abundance of highly confidential and commercially sensitive data, as well as personally identifiable information (PII) that ransomware actors will likely attempt to leverage for extortion. Targeting will likely be intensified by the perceived lack of cyber security awareness amongst the associated workforces.
Finally, it has been assessed to be likely that “hack-for-hire” services offered by private sector offensive actors (PSOAs) will be in demand to conduct offensive operations with the purposes of exfiltrating data that could be leveraged within ongoing legal disputes.
Risk Intelligence Assessment
Due to the potential for successful extortion attempts and the resulting financial gain, it has been assessed that financially motivated cybercriminals will pose a severe risk to the legal sector throughout 2024.
Nation State-Sponsored Campaigns
China
Overview
China-affiliated advanced persistent threat (APT) units pose the greatest nation state-level threat to the legal sector, due to dealings with intellectual property (IP) rights within the litigation process.
Risk Intelligence Assessment
Cybercriminals are attempting to steal IP in alignment with the People’s Republic of China’s (PRC) “Made in China 2025” objectives of advancing its technology. Chinese state-sponsored threat actor groups will therefore pose a substantial risk to the legal sector because IP theft will allow Beijing to compete with the West by introducing innovative products to the marketplace thereby strengthening the Chinese economy.
Russia
Overview
With Moscow-backed cyber operators focusing on sabotaging NATO-based entities in response to their support for Ukraine, it is likely that Russian sponsored offensive operations will spill over into the legal sector with high-profile government bodies, such as the Ministry of Defence, having dedicated legal departments.
Risk Intelligence Assessment
With the potential to sabotage high-profile rival entities, it has been assessed that Russia-affiliated cyber aggression will pose a substantial risk for the legal sector throughout the calendar year.
North Korea
Overview
With a substantial portion of law firms conducting business protocols within wider supply chains, they will likely become exposed to North Korea-aligned cyber aggressions with a primary initial ingress mechanism leveraged by Pyongyang-directed state actors being that of software vulnerabilities.
Risk Intelligence Assessment
Due to the potential for financial gain, it has been assessed that North Korean threat actors will pose a moderate risk to the legal sector throughout 2024.
Iran
Overview
Due to rising tensions, there is a realistic possibility that Iran-affiliated cyber operations launched against Western organisations perceived to be hostile to the regime could spill over into the law sector with a substantial portion of target companies operating in alignment with legal advisors.
Risk Intelligence Assessment
It has been assessed that Tehran-aligned threat actors will pose a moderate risk to the legal sector as the calendar year progresses.
Hacktivist DDoS Attacks
Overview
Intelligence indicates that hacktivist collectives are launching distributed denial-of-service (DDoS) operations against law firms at increasing rates. Legal organisations acting on behalf of clients at odds with hacktivist ideological agendas will likely emerge as targets. Those engaged with energy sector affairs will likely be of particular interest to hacktivist threat actors due to the affiliation with critical national infrastructure (CNI), therefore providing the greatest potential for disruption.
Risk Intelligence Assessment
It has been assessed that ideologically driven hacktivist collectives will pose a moderate risk to the legal sector throughout 2024.
Elections
Overview
Finally, with a packed agenda of political elections scheduled for 2024, nation state-sponsored espionage units will likely launch campaigns with the objective of exfiltrating information that could be leveraged to degrade the reputation of politicians and state officials perceived to be in opposition to sponsoring state agendas. Law firms representing such figures, or their affiliates, will likely be at increased risk of such targeting.
Risk Intelligence Assessment
Sophisticated cyber espionage campaigns will pose a substantial risk to the legal sector throughout the calendar year as nation state-level threat actors will likely seek to sway public opinion by altering the perception of voters that could support electoral candidates perceived to be in opposition to sponsoring state agendas.
Author
Craig Watt
Craig is a Threat Intelligence Consultant at Quorum Cyber, specialising in strategic and geopolitical intelligence.
Appendix A – Terminology Yardstick
Intelligence Terminology Yardstick
Key assessments within this report have been written using the Intelligence Terminology Yardstick. The assessed likelihood of events corresponds with pre-defined language to remove areas of uncertainty when ingesting Quorum Cyber Threat Intelligence reports.
Intelligence Cut-off Date (ICoD): 26/01/2024 10:00 UTC
Appendix B – Threat Assessments
Risk Terminology
The Quorum Cyber Threat Intelligence team utilises the risk terminology taxonomy outlined below to provide assessments regarding cyber threats.
Risk Terminology | Criteria | Assessed Threat Level |
Low | If a threat actor fits only one of the following: Capability, Hostile Intent, Opportunity | Attack is highly unlikely |
Moderate | If a threat actor has both Capability and Opportunity but not Hostile Intent | Attack is possible but not likely |
Substantial | If a threat actor has Hostile Intent and Capability, or Hostile Intent and Opportunity | Attack is likely |
Severe | If a threat actor has Capability, Hostile Intent and Opportunity | Attack is highly likely |
Critical | If a threat actor has all three and there is intelligence to suggest that an entity is under current targeting interest | Attack is highly likely in the near future |