UPDATE: Milan, Italy: Data theft targeting a law firm, ransomware group BianLian claims responsibility for the attack.

UPDATE: Milan, Italy: Data theft targeting a law firm, ransomware group BianLian claims responsibility for the attack. 1
UPDATE: 8/28/2024 

Prior to the publication of the article on August 24, we had sent an email to the law firm requesting a statement regarding the data breach perpetrated by the cybercriminal group BianLian on July 31. On the same day, we also contacted the group, asking them to respond to a series of our questions.

Yesterday, August 27, we received a reply via email from the Isolabella Law Firm, informing us that

[…]Sarà nostra cura fornirle aggiornamenti non appena saranno in nostro possesso.[…]

([…] We will ensure to provide you with updates as soon as we have them.[…])

This afternoon, via the qTox instant messaging protocol, a member of the ransomware group sent us the responses to the questions we had submitted a few days ago.

SuspectFile.com: Can you confirm that the amount of exfiltrated data is 1.3TB? Could you please provide proof?

BianLian: Yes. Sure, we can provide you with proof

SuspectFile.com: Were the data also encrypted? If so, was it a portion or the entire 1.3TB of exfiltrated data?

BianLian: No

SuspectFile.com: The law firm claims that the server where you “deposited” the exfiltrated files has been blocked. Do you confirm their statement?

BianLian: The initial server was blocked. But we had enough time to backup

SuspectFile.com: Did the law firm have access to the negotiation chat? If so, did their negotiator send any messages?

BianLian: Yep, sent

SuspectFile.com: The law firm stated on their website that they detected the intrusion into their servers on July 31st. Did your affiliate have access to the law firm’s IT systems on this date? If not, when?

BianLian: They have detected our activity on about that time

SuspectFile.com: If no agreement is reached, will you publish the data in your possession, or will you transfer/sell them to third parties?

BianLian: All their data we have will be published on our website

SuspectFile.com: How much did BianLian demand to decrypt/return the exfiltrated data?

BianLian: [He did not respond]

At present, BianLian has not provided any evidence regarding the amount of data exfiltrated during the cyberattack. We will update the article if new information becomes available regarding the case.

 



8/24/2024

A data theft occurred towards the end of last July, targeting the Isolabella Law Firm in Milan (Studio Isolabella). The victim itself reported the data breach through three statements published so far on its website.

The first statement was issued by Studio Isolabella on July 31st, nearly a month before the ransomware group BianLian made their claim public just a few hours ago by naming the Milanese law firm on the homepage of their blog within the Tor network.

In the initial statement, the law firm declared that, although some data stored on the servers had been exfiltrated by BianLian, the cybercriminal group was unable to encrypt them thanks to protection systems installed on the servers and the prompt intervention of an IT specialist team.

Lo Studio legale Isolabella ha subito un attacco informatico che è stato contrastato dai sistemi di protezione e da un team di specialisti. Queste reazioni hanno bloccato l’attività degli hacker prima che i dati potessero essere crittografati e hanno evitato il blocco dei sistemi informatici centrali e periferici, ma alcuni dati sono stati copiati. 

(The Isolabella law firm experienced a cyber attack that was countered by protection systems and a team of specialists. These responses stopped the hackers’ activity before the data could be encrypted and prevented the central and peripheral IT systems from being blocked, but some data was copied)

In a second statement dated August 3rd, the law firm informed its contacts that it had filed a criminal complaint with the Public Prosecutor’s Office and notified the Data Protection Authority of the data breach. The firm also stated that it had analyzed the methods of the attack, assessed the status of its IT systems, and was gradually returning to normal operations. Additionally, Studio Isolabella warned anyone who might receive communications that appeared to come from the law firm during this time.

[…]Abbiamo depositato una denuncia-querela alla Procura della Repubblica, notificato il data breach all’Autorità Garante, analizzato le modalità dell’attacco e lo stato nei nostri sistemi informatici e stiamo progressivamente tornando alla normale operatività. […]

Rinnoviamo l’invito degli interlocutori dello Studio a prendere contatto con il numero della Segreteria (02 59 92 101) o con il professionista di riferimento nel caso in cui si ricevessero comunicazioni apparentemente provenienti dallo Studio o relative a dati che potrebbero essere frutto dell’attacco.[…]

([…] We have filed a criminal complaint with the Public Prosecutor’s Office, notified the Data Protection Authority of the data breach, analyzed the attack methods and the status of our IT systems, and we are gradually returning to normal operations. […]

We reiterate our request for the firm’s contacts to reach out to the Secretariat at (02 59 92 101) or to the relevant professional if they receive communications that appear to be from the firm or relate to data that may have been compromised by the attack.[…])

Yesterday, August 23rd, the law firm published a third statement on its website, providing many more details about the ransomware incident, but most importantly, offering a true vademecum explaining the procedures to follow after a data breach.

This is one of the very rare cases we have encountered or read about where a victim of a cyberattack demonstrates transparency and professionalism—something that almost never happens. Typically, those who suffer a data breach do not publicly disclose it, turning “only” to law enforcement and the Data Protection Authority. This lack of transparency can often lead to the very issues that the law firm, through transparent communication, is trying to prevent: targeted phishing campaigns, smishing, identity theft, and more.

It is important to note that if the quantity and quality of the documents exfiltrated by BianLian (1.3TB) are confirmed, we are facing an enormous loss of data, much of it sensitive, now in the hands of a group of cybercriminals who would not hesitate to publish or sell it on the dark web.

Below, we outline the types of data that, according to the ransomware group, were exfiltrated from the Milanese law firm’s servers.

  • Finance data
  • HR data
  • Incidents & casefiles
  • Court and litigations’ data
  • Exhibits
  • Clients’ PII & PHI records
  • Mailboxes
  • Internal and external email correspondence

BianLian

Screenshot and redaction by SuspectFile.com

SuspectFile.com sent an email to the Isolabella Law Firm requesting confirmation or denial of the statements published on BianLian’s blog. We also contacted the ransomware group, sending them some questions about the case.

Before the publication of this article, we had not received any responses from either the law firm or the ransomware group.

SuspectFile.com will continue to monitor the situation and provide updates as new details emerge.