Legal firm HWL Ebsworth suffers Russian cyber attack: client, employee data stolen

One of Australia’s largest commercial law firms has fallen victim to an infamous Russian hacking group with over 4 terabytes of internal data taken.

David Swan

2 min read

3:19PMMay 01, 2023.

Updated 2:27PMMay 02, 2023

The Australian Business Network

'Heavy emergence' of crypto crimes and simple to achieve

One of Australia’s largest commercial law firms HWL Ebsworth has suffered a major cyber attack, according to an infamous Russian hacking group, with 4 terabytes worth of internal company data including employee CVs and client data stolen.

The notorious ransomware group BlackCat Ransomware, also known as ALPHV, posted over the weekend that it had downloaded a trove of information including a complete map of local and remote company credentials, client documents including IDs, credit card information and loans data, and internal company data including insurance agreements.

HWL Ebsworth was contacted for comment.

The legal firm has offices across the country and is the only commercial law firm to have offices in every Australian state or territory.

“Our national team represent a broad spectrum of Australian and international clients including many state and federal government agencies, public and private companies and small businesses,” the company’s website reads.

“HWL Ebsworth’s technology team advise on legal issues associated with a variety of technology and telecommunications projects. Our team is highly experienced and has an intimate knowledge of the Australian technology and telecommunications environment.”

It’s understood that the Australian Cyber Security Centre (ACSC) has been notified about the attack. Under Australia’s Security of Critical Infrastructure Act, businesses who are aware of a critical cyber security incident must notify the ACSC within 12 hours of becoming aware of the incident.

It comes amid a spate of high-profile ransomware attacks hitting Australian businesses. Australia’s largest health insurer Medibank last week said it had implemented recommendations from a Deloitte report into a Russia-based cyber attack that affected millions of its customers, but said it won’t be releasing the report, citing security risks.

Juan Martinez, managing partner of HWL Ebsworth.

Russian hackers accessed the health records and other personal information from almost 10 million current and former Medibank customers. After the company refused to pay a $15m ransom, it published customer claim data for sensitive conditions – including abortions, drug and alcohol abuse and mental health disorders – on the dark web.

Optus is also waiting on an external Deloitte report into its hack, also late last year, that affected some 10 million Optus customers. Optus has not said whether the report, which is due in late May, would be made public.

Medibank refused to pay the hacker’s ransom and a key consideration of the upcoming strategy will be whether to ban the payment of cyber ransoms. Finance provider Latitude this month also rejected a ransom demand from criminals behind what has now become the nation’s biggest cyber attack.

As The Australian reported last week, power giant AGL Energy has warned against such a ban, declaring that such a move may result in potential loss of life and “catastrophic damage”.

In its submission to the government’s 2030 cyber strategy, AGL said banning paying ransoms “may result in potentially avoidable catastrophic damage, harm to community, loss of life, disruption of essential services or disclosure of sensitive information”.

Hacking group BlackCat first appeared in 2021 and is thought to be a spin-off of Russian-language hacking groups REvil and DarkSide.

REvil was a Russian-speaking ransomware group formed in 2019, which would publish information on their page ‘Happy Blog’ unless the ransom was received. Australian victims of REvil ransomware attacks include Nine Entertainment and UnitingCare Queensland.

The group was shut down in January 2022 when the Russian Federal Security Service said they had dismantled REvil and charged several of its members after being provided information by the US.

Meanwhile a US-based attack on Colonial Pipeline, which operates the largest fuel pipeline system in the US, was believed to be carried out by hacker group DarkSide.