A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence seen by Fortune.
The incidents involved hackers getting into the email accounts of partners at well-known firms, and then relaying messages and other data from the partners’ in-boxes to outside servers.
In the case of one firm, the attacks took place over a 94 day period starting in March of 2015, and resulted in the hackers stealing around seven gigabytes of data, according to information obtained by Fortune. That figure would typically amount to tens or hundreds of thousands of emails.
The information also revealed the thefts took place in one hour increments, and that the hackers returned repeatedly in search of new information.
News of the law firm breaches surfaced earlier this year when the Wall Street Journal reported that hackers had penetrated the computer networks of Cravath Swaine & Moore, Weil Gotshal & Manges and other unidentified firms. The clients of these firms include many of the world’s biggest companies, and they are privy to sensitive corporate information. Cravath, for instance, is representing Time Warner (twx) in its merger plans with AT&T (t).
The Wall Street Journal’s account suggested the goal of the hackers was to obtain information to facilitate insider trading. Cravath at the time responded that it was not aware that any of the exposed information had been used improperly, while Weil declined comment.
The earlier news of the law firm breaches did not say who conducted the hacking, but Fortune has obtained reliable information that indicates the breach took place as part of a larger initiative by the Chinese government. This initiative also saw the hackers target big U.S. companies, including a major airline. The 2015 attack reflected familiar patterns of hacking employed by individuals with connections to the Chinese government, according to the information obtained by Fortune.
Get Data Sheet, Fortune’s technology newsletter.
The evidence obtained by Fortune did not disclose a clear motive for the attack but did show the names of law firm partners targeted by the hackers. The practice areas of those partners include mergers and acquisitions and intellectual property, suggesting the goal of the email theft may indeed have been economic in nature.
Multiple sources in law enforcement and at the law firms declined to go on record for this story, but confirmed the role of China in the email hacking campaign. The sources did not wish to speak publicly in part because the events are the subject of a confidential investigation.
The office of the U.S. Attorney for the Southern District of New York launched the investigation earlier this year, and it is active and ongoing. A spokesperson for the office declined to comment.
An Uncomfortable Issue for Firms
The theft of the partner emails is a serious matter for law firms, which handle a wide variety of sensitive business issues and enjoy a reputation for confidentiality and discretion.
The targets were numerous. In addition to the ones named by the Journal, evidence also shows the hackers tried to target other prominent law firms, including Cleary Gottlieb; Mayer Brown;Latham & Watkins; Covington & Burling; Davis Polk & Wardell. The hacking attempts did not always succeed as some firms rebuffed the attacks or prevented the attackers from removing any data.
The firms chose not to comment in part because cyber-security is a sensitive matter and, like other organizations, they do not want to draw attention to themselves—regardless if a breach has occurred or not.
In the case of successful attacks, firms had deployed firewalls and other technical measures to guard their networks, but they failed to detect the email-driven attack. Such attacks, known as “spear-phishing,” target victims with personalized emails. It was this tactic that allowed hackers to penetrate the email accounts of former DNC chair John Podesta and former Secretary of State, Colin Powell, as well as numerous celebrities. Last month, the Homeland Security chief Jeh Johnson described phishing as the top hacking threat facing the country.
The timing of the breaches is also notable. They occurred in 2015 at a time when hacking by the Chinese government became a major irritant in Sino-American relations. In September of that year, President Obama delivered a blunt warning to China on the eve of a state visit to Washington by President Xi Jinping, calling such attacks “an act of aggression.”
Shortly after news of the breaches at Cravath and Weil, a threat analysis firm warned that a Russian hacker known as Oleras was recruiting a gang of cyber criminals online in order to target law firms for economic data that could be traded upon. Oleras, however, does not appear to have been involved in the law firm hacking that took place in 2015.
Meanwhile, there have been fresh attempts to compromise law firms with new forms of phishing attacks. Last week, for instance, New York’s Attorney General, Eric Schneiderman warned of a scam that involved sending emails to lawyers purporting to be from his office.