Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
Not a 'whiff of wrongdoing' here, says attorney now fighting off Uncle Sam
The US Securities and Exchange Commission (SEC) has sued international law firm Covington & Burling for details about 298 of the biz's clients whose information was accessed by a Chinese state-sponsored hacking group in November 2020.
The data theft in question is the now-infamous Microsoft Exchange attack in which Hafnium exploited four zero-day vulnerabilities in the email platform to steal data from US-based defense contractors, law firms, and infectious disease researchers.
Covington was one of the breached law firms, and the intrusion gave the Beijing-backed cyberspies access to some of Covington's clients that are regulated by the US agency.
"Covington has admitted that a foreign actor intentionally and maliciously accessed the files of Covington's clients, including companies regulated by the Commission," the lawsuit says [PDF]. "In light of this reported breach, the Commission is seeking to determine whether the malicious activity resulted in violations of the federal securities laws to the detriment of investors."
The law firm, headquartered in Washington, DC, specializes in regulatory and public policy matters and its attorneys include former government officials.
In March 2022, the SEC issued a subpoena asking Covington to hand over information about the security breach including, among other things, all of the affected clients' names, and the amount of information that was accessed or stolen, and communications between the law firm and the clients about the exfiltration.
Covington complied with most of the subpoena, but told the SEC it wouldn't be able to produce a full list of affected organizations by the deadline, according to the court documents.
The SEC then narrowed its request to just the names of SEC-regulated clients whose data had been "viewed, copied, modified or exfiltrated during the attack on Covington" as well as communications between those publicly traded companies and their attorneys.
This is where the two parties' interpretations of the law diverge.
Because Hafnium accessed private information belonging to some Covington clients, including the 298 regulated by the SEC, the agency has a mandate from Congress to investigate the breach and "determine whether the malicious activity resulted in violations of the federal securities laws to the detriment of investors," according to the lawsuit.
Covington, unsurprisingly, sees things differently.
A Covington spokesperson called the SEC's lawsuit an "unwarranted attempt to intrude on client confidences and the attorney-client privilege."
Two years ago, after becoming aware of the security breach, Covington notified its potentially affected clients and worked with the FBI to support its investigation, the spokesperson told The Register.
"More recently, the SEC issued a subpoena to Covington relating to the incident, and in response, we promptly provided the Commission with detailed information about the attack and our cooperation with the FBI," the spokesperson added.
"At the same time, we made clear to the SEC that we cannot voluntarily comply with any attempt by the agency to obtain client confidential information, including the identity of affected clients and attorney-client communications. Against this background, the firm intends to contest the SEC's subpoena enforcement action."
- Microsoft fixes four zero-day flaws in Exchange Server exploited by China's 'Hafnium' spies to steal victims' data
- SEC: Startup had 'no functional streaming service', raised $1.3m anyway
- Royal Mail, cops probe 'cyber incident' that's knackered international mail
- First Patch Tuesday of the year explodes with in-the-wild exploit fix
A June 2022 letter [PDF] to the SEC from Gibson Dunn, the law firm that is representing Covington, echoes this statement, and says Covington "does not have the option of complying" with the subpoena by handing over communications with any of its clients who were affected by the Hafnium attack because they are protected by attorney-client privilege.
"Covington is duty-bound to protect the names of clients potentially impacted by the cyberattack," it noted.
In a statement emailed to The Register, Kevin Rosen, a partner at Gibson Dunn, called the SEC lawsuit "a blatant fishing expedition that both targets Covington's clients without even a whiff of wrongdoing and attempts to coerce Covington's complicity in that effort."
"This broad assault on the attorney-client relationship and confidential client information threatens all clients and their lawyers," Rosen said. "Covington will do everything in its power as the law demands to protect that relationship and those privileged confidences by opposing the SEC's unwarranted intrusion here." ®