Jones Day disputes claimed breach; points to hacked vendor; hacker points back to them (UPDATE2)
Although Jones Day failed to respond to multiple inquiries sent to it by this site about a ransomware attack claimed by CLOP threat actors*, the giant law firm apparently responded to inquiries by the Wall Street Journal. Their statement, however, omits important information and has been disputed by the threat actors.
WSJ reports, in part:
Jones Day, in a statement, disputed that its network has been breached. The statement said that a file-sharing company that it has used was recently compromised and had information taken. Jones Day said it continues to investigate the breach and will continue to be in discussion with affected clients and appropriate authorities.
In their statement to WSJ, Jones Day identified the company as Accellion.
Jones Day has since given the same or similar statement to American Lawyer.
Regular readers of DataBreaches.net have seen a number of reports about a recent Accellion breach. Accellion provides file transfer software to firms. It issued its first statement about a breach on January 12, later clarifying that they discovered the breach mid-December, issued a patch within 72 hours, and notified affected clients on December 23. In a subsequent update, they acknowledged finding other vulnerabilities that were also addressed.
Some of Accellion’s affected clients (SingTel, Royal Bank of New Zealand, the law firm of Goodwin Procter, the State of Washington and University of Colorado) issued their own press releases, stating that they were notified later than what Accellion’s statement would suggest.
Jones Day never issued any press release about being impacted by the Accellion breach. And although there are logs in the CLOP data dump that do show automated attempts to connect to Accellion, CLOP denies that the data came from a hack of Accellion.
Accellion’s timeframe is important. In its updated press release, the firm admitted that after patching the vulnerability, they discovered others that needed patching, and that the attacks on them went on into January. They do not specify when in January. Were the attackers still exfiltrating files in mid-January? If not, then the data dump may not come from Accellion, as this site previously noted two files dumped by the threat actors dated January 14 and January 15, 2021. Although DataBreaches.net presented redacted versions, this site verified that these documents refer to verifiable litigation, including the judge’s name, case captions, and docket number with reference to one item.
So when did Accellion secure everything and when was Jones Day notified, if they were notified at all?
Jones Day was asked to answer some questions by this site after the WSJ published their report. This time, DataBreaches.net asked Jones Day whether they had actually ever been notified by Accellion that they had been impacted by the vendor’s breach, and if so: (1) when, and (2) did they notify any clients? No reply has been received by publication time. DataBreaches.net also reached out to CLOP to ask about Jones Day’s claims. In response, a spokesperson for CLOP responded:
we hacked their server where the Accellion was and took the data from there, we spammed all over the company and all over the contact sheet they repeatedly entered the chat and were silent
CLOP did not provide any screenshots to support that statement.
So was Jones Day the victim of a direct attack? CLOP has dumped more files over the past few days, so the law firm should be able to confirm whether the files came from the server CLOP has now described.
This post will be updated if a response from Jones Day is received. Accellion was also asked exactly when the last attack occurred to determine if it was before or after January 15.
* JonesDay appears to be correct in claiming that it wasn’t a ransomware attack. The threat actors informed VICE that they did not encrypt the files. A sentence later in the report above was edited post-publication to change “ransomware” to “direct.”
Update of Feb. 17: A report on SingTel’s breached data contains some dates and details that may be relevant to the Jones Day claims. The Edge Singapore reports that SingTel knew of the hacking attempts on Accellion back in December, in response to which, “a series of “patches” were applied including the last one on Dec 27.” The report continues:
Yet, on Jan 23, Accellion, a privately-held, California-based cloud solutions provider, said a new vulnerability was found and that previous patches were of no use. Singtel took the system offline immediately.
On 30 January, Singtel’s attempt to patch the new vulnerability in the file sharing system triggered an anomaly alert. Accellion informed thereafter that the system could have been breached.
Singtel’s investigations later confirmed this and identified January 20 as the date the breach occurred. The file sharing system has been kept offline since January 23.
If these statements are accurate, then yes, the Jones Day data with dates in mid-January could have been compromised due to the Accellion attacks. The report on SingTel also reports:
Yuen stresses that Singtel’s own core operations and functions remain unaffected and sound and this incident involves a standalone system provided by a third-party vendor.
Could this be what happened with Jones Day? It could be and would be consistent with Jones Day claiming that it was not their breach. It is looking more and more like CLOP got Jones Day’s data through the law firm’s use of Accellion’s FTA. So when did Accellion inform Jones Day of the breach or when did Jones Day first discover it?
Accellion would not answer the question as to when the last attack occurred, sending this site the same statement they sent to other outlets:
Accellion is conducting a full assessment of the FTA data security incident with an industry-leading cybersecurity forensics firm. We will share more information once this assessment is complete. For their protection, we do not comment on specific customers. We are working with all impacted FTA clients to understand and mitigate any impact of this incident, and to migrate them to our modern kiteworks content firewall platform as soon as possible.
There are many unanswered questions as yet, including what CLOP really did or did not do.
Update 2: It is now clear that CLOP was less than truthful when it said it attacked Jones Day directly but not Accellion. In fact, it has started dumping data from a number of Accellion clients on its dedicated leak site, as first reported by Risky.Biz Newsletter yesterday. In addition to Jones Day, CLOP is dumping data from SingTel, Fugro, the American Bureau of Shipping (Eagle.org), and Danaher.
According to Risky.biz:
All five companies have historically published web portals where customers or third parties could send or receive large files using an Accellion file transfer appliance.
At this point, we don’t know what role the CL0P group played in the attacks on Accellion customers. The ransomware gang might only be helping other attackers monetise the theft of data.
Whatever their role, we agree with Risky.biz that this does not bode well for Accellion’s other clients who had been impacted by the FTA incident. Most of these entities have not come forward yet.