Potentially hundreds of UK law firms affected by cyberattack on IT provider CTS

CTS, a managed service provider (MSP) for law firms in the United Kingdom, is “urgently investigating” a cyberattack that has disrupted its services — potentially leaving hundreds of British law firms unable to access their case management systems.

The company announced Friday that it was “experiencing a service outage which has impacted a portion of the services we deliver to some of our clients,” and confirmed “the outage was caused by a cyber-incident.” The UK government is “closely monitoring the company’s situation,” according to a government spokesperson.

Industry news outlet Estate Agent Today reported that CTS was hacked through the CitrixBleed bug which U.S. officials have warned is being exploited by both state-sponsored and cybercriminal groups.

It is not known how many of the company’s clients are affected, although a report by Today’s Conveyancer estimated between 200 and 80 would be “unable to access phone, emails, or case management systems.”

CTS said it was “working closely with a leading global cyber forensics firm to help us with an urgent investigation into the incident and to assist us in service restoration.”

The company said it was confident it would be able to restore services but cautioned it could not give a timeline for “full restoration,” and pledged to communicate directly with the clients who were affected.

Recorded Future News did not receive an immediate statement from many of the firms who have provided website testimonials for CTS.

O’Neill Patient, one of the firms to have given a testimonial, said the “outage has unfortunately impacted our customers, particularly those who were due to complete on a new home.

“We understand that this is already a stressful time for people, so we are dedicated to doing all we can to help. We are supporting all clients on a case-by-case basis, regarding their personal and individual needs.”

The law firm said its clients’ well-being was the company’s “top priority” and that it would “of course cover the reasonable cost of their immediate wellbeing needs.”

Government failures to regulate MSP security

The hack comes just weeks after the British government failed to introduce promised legislation that would have required MSPs to increase their cybersecurity protections.

By failing to include the NIS Regulations updates in the King’s Speech earlier this month, the government has likely missed its last chance to bring forward the legislation before a general election next year.

MSPs are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,” the government warned when it announced the new laws.

There have been numerous incidents affecting MSPs, from the CloudHopper campaign — which the U.K. attributed to hackers working on behalf of the Chinese Ministry of State Security — through to the financially motivated ransomware attacks impacting MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care, according to BBC News.

At the time it pledged to update cybersecurity laws for MSPs, the government said the new laws would be introduced “as soon as parliamentary time allows” and would “better protect our essential and digital services and the outsourced IT providers which keep them running.”

Asked about the government’s failure to bring forward the laws during the launch of the agency’s annual review, the National Cyber Security Centre’s director for national resilience, Jonathon Ellison, said the government remained committed to implementing the update.

“But there’s plenty of stuff we can do in the intervening period and we’ll continue to do,” said Ellison, including publishing guidance for the customers of MSPs and to provide threat intelligence about the threat actors targeting the MSP sector.

Ellison added that government had other levers to improve security in the sector, including using its own contracting services “as a mechanism by which we can drive some of the changes that we need to see within the MSP sector without the need to update the regulations right now.”

“All organisations should take action to ensure their systems are secure and resilient,” the government spokesperson told Recorded Future News. “We are working with operators, regulators, and the NCSC to ensure that set levels of resilience are met, making sure critical sectors have the necessary means to improve cyber security across the country.”