Potentially hundreds of UK law firms affected by cyberattack on IT provider CTS

CTS, a managed service provider (MSP) for law firms in the United Kingdom, is “urgently investigating” a cyberattack that has disrupted its services — potentially leaving hundreds of British law firms unable to access their case management systems.

The company announced Friday that it was “experiencing a service outage which has impacted a portion of the services we deliver to some of our clients,” and confirmed “the outage was caused by a cyber-incident.”

Industry news outlet Estate Agent Today reported that CTS was hacked through the CitrixBleed bug which U.S. officials have warned is being exploited by both state-sponsored and cybercriminal groups.

It is not known how many of the company’s clients are affected, although a report by Today’s Conveyancer estimated between 200 and 80 would be “unable to access phone, emails, or case management systems.”

CTS said it was “working closely with a leading global cyber forensics firm to help us with an urgent investigation into the incident and to assist us in service restoration.”

The company said it was confident it would be able to restore services but cautioned it could not give a timeline for “full restoration,” and pledged to communicate directly with the clients who were affected.

Recorded Future News did not receive an immediate statement from any of the firms who have provided website testimonials for CTS, however a receptionist at law firm O’Neill Patient said the company had established a specific email address regarding the “issue” with its servers.

Government failures to regulate MSP security

The hack comes just weeks after the British government failed to introduce promised legislation that would have required MSPs to increase their cybersecurity protections.

By failing to include the NIS Regulations updates in the King’s Speech earlier this month, the government has likely missed its last chance to bring forward the legislation before a general election next year.

MSPs are “an attractive and high value target for malicious threat actors, and can be used as staging points through which threat actors can compromise the clients of those managed services,” the government warned when it announced the new laws.

There have been numerous incidents affecting MSPs, from the CloudHopper campaign — which the U.K. attributed to hackers working on behalf of the Chinese Ministry of State Security — through to the financially motivated ransomware attacks impacting MSPs such as Kaseya in the United States and the NHS supplier Advanced in Britain, with the latter severely impacting patient care, according to BBC News.

At the time it pledged to update cybersecurity laws for MSPs, the government said the new laws would be introduced “as soon as parliamentary time allows” and would “better protect our essential and digital services and the outsourced IT providers which keep them running.”

Asked about the government’s failure to bring forward the laws during the launch of the agency’s annual review, the National Cyber Security Centre’s director for national resilience, Jonathon Ellison, said the government remained committed to implementing the update.

“But there’s plenty of stuff we can do in the intervening period and we’ll continue to do,” said Ellison, including publishing guidance for the customers of MSPs and to provide threat intelligence about the threat actors targeting the MSP sector.

Ellison added that government had other levers to improve security in the sector, including using its own contracting services “as a mechanism by which we can drive some of the changes that we need to see within the MSP sector without the need to update the regulations right now.”

A government spokesperson did not immediately respond to Recorded Future News for this story. They previously said: “The government takes the cyber resilience of the UK very seriously and is working with operators, regulators and other government departments to ensure that they meet set levels of resilience and have the necessary means to improve their cyber security.”