Breach, Data Security, Threat Management

[Updated] Panama Papers: Who let the docs out?

[Updated to include more speculation about an external attack]

The dramatic exfiltration of 2.6 terabytes of data from the Panama-based law firm Mossack Fonseca has been countered by an equally uninformative explanation for how this international organisation, with a class A customer list, allowed itself to be turned over.

Very little is known as this stage about how the company came to lose 11.5 million documents. A German journalist, who works for the newspaper Sueddeutsche Zeitung, was contacted a year ago by an anonymous source who insisted on the use of encrypted communications for every contact. The journalist claims to have no knowledge of who the leaker was only that he or she didn't want any payment, saying that exposing the “crimes” of Mossack Fonseca was enough.

Debate is rife within the cyber-security community as to whether the data leak was the work of a disgruntled insider rather than an external hacker as and others reported yesterday based upon the company's initial response. 

Mossack Fonseca's explanation for the attack was that it had experienced an “unfortunate” email server attack. This was followed by assurances that security would be tightened and expert consultants drafted in to figure out what happened.

But as Paul Ducklin, writing on the Naked Security blog, said, it is difficult to conceive how anyone could intercept and exfiltrate 2.6tb of data via email, especially given the range and variety of information and types of documents.

Ducklin – who is incidentally appalled that professional journalists are willing to handle stolen data – said that rather than an email server attack, it was more likely that the perpetrator gained access to an email account and then leveraged that access to upgrade their privileges.

To Jens Puhle, UK managing director at 8Man, the breach was more likely the result of an insider attack, in the same vein as Edward Snowden and Chelsea Manning, although in this case the identity of the leaker – who reportedly fears for their life – may take a long time to ascertain. “It's an unusual case, however, since it was apparently leaked directly to the press which signifies someone taking a moral standpoint rather than looking for financial gain,” said Puhle.

Thierry Bettini, director of international strategy at Ilex International, tends to agree with Puhle. “It's really too early to say at this point and it's worth noting the only breach Mossack Fonseca has recognised at this point is the hacking of its email server. However, given the number/volume of documents stolen, that is probably not the only cause. This could definitely have been the work of an insider, like in other cases such as in the Clearstream case.”

And Mark Sangster, VP of marketing at eSentire, said: “We're seeing many cases of insider data breaches that involve leaking sensitive data for front running trades or more malicious intent. In this case, seemingly one individual got his or her hands on a massive collection of files spanning four decades. If this holds true, this extreme case of an apparent insider threat will result in catastrophic consequences for Mossack Fonseca.”


But some favour the theory that it was an external attacker, possibly a nation state. Charles White, founder and CEO of IRM, believes the leak is likely to have come from a high level external hack, partly because of its sophistication and partly because of Panama's notorious human rights record which might deter insiders from taking the risk.

“The leak could be the work of an external hacker, and one would hope with information of this magnitude a very competent hacker potentially at nation state level,” White said. “Legal companies like this hold a lot of rich, exciting information that can be very useful at a nation state level, especially when current and former world leaders are involved. The huge amount of data makes it likely the entire database was stripped out, which also points to an external attack.”

Agreeing with White that it could have been an outsider is Adam Boone at Certes Networks. He said that available evidence points to the theory that a compromised email server was the attack vector.

He said that law firms are ripe for attacks because of the extremely sensitive data they hold for important clients. “Without modern access control and application isolation techniques, these firms are wide open for malicious insiders or external attackers to get access to the most sensitive data,” he told SC. “Effective application isolation is almost nil at many companies. Attacks on third parties like external law firms, contractors and the like have been the main attack vector in the high profile data breaches over the past three years, including Target, Sony and many others.”

Finding out who was responsible will of course be top priority for Mossack Fonseca. The first step will be determining when the breach occurred.

“The German newspaper Süddeutsche Zeitung has revealed that it was first contacted by its anonymous source over a year ago and was steadily supplied data over a number of months, which means this activity went undetected for some time. Indeed, it's possible the firm would never have known if the leak was not publicised in this way,” said Jens Puhle.

“The firm has not made an official statement about how the breach was detected or when. But in many of such cases, the breach is not known about until an external party warns the breached company that there are indicators of a breach,” said Boone. “In this case, it is possible that the law firm did not know about the breach until the investigative journalists started publishing their work.”

Then the law firm will need to establish who could have accessed the files.

“In the likely event that it was an internal breach, they should set about ascertaining who had access to the files – considering that an incredible 2.6 terabytes of data were accessed and moved, there should be clear evidence in the file server. With the right measures in place, they will be able to tell the times and locations that the files were accessed,” said Jens Puhle.

“Working retrospectively, Mossack Fonseca should be able to tell who had clearance to files during the time frame. The scale of the data in question should also narrow this down. Again, however, this assumes they have the right policy and systems in place to keep track of access,” Puhle added.

However, Boone, who favours the theory that it was an external attack, outlined how this amount of data could have been exfiltrated.

“That is a massive amount of data to steal. By far the easiest way to steal it would be for an insider with direct system access to place the data on a removable drive and simply walk out with it,” said Boone.

“But it is possible this could have happened over a network by hackers breaking in remotely. Roughly speaking, 2.6 terabytes is the equivalent of about 20.8 terabits of data being transferred on a network. If the hackers were outsiders they may have had to transfer it out of the enterprise by a network. They likely used the ‘low and slow' data breach technique. That means that you compromise the systems and then slowly exfiltrate the data over weeks so as to not create any unusual traffic spikes and so evade detection. To transfer that much data at a slow one megabit per second transfer rate would take about 241 days of continuous data transfer. Alternately, the hackers might have established a high bit-rate file transfer connection, and that could have shortened the time considerably, to about 9 days if they were able to sustain a 25 mbps transfer rate.”

No doubt these are questions that the directors at Mossack Fonseca are trying to answer right now, but the chances are – given the company's history of secrecy and its reticence in speaking publicly about the data leak – we are unlikely to find out the results of the investigation unless, of course, they get hacked again.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.