What happened?
A number of US law firms have reportedly been targeted by a cyber extortion group known as the Silent Ransom Group, using a combination of remote cyber intrusion and physical access attempts.
In one of the reported incidents, an executive at a US law firm in New Jersey received a call in April from someone posing as IT support, claiming a virus was spreading through the firm and that in person access to the lawyer’s computer was needed. The following day, a person claiming to be from IT arrived at reception but fled when challenged.
In a separate incident, a man posing as IT support entered another US law firm and allegedly used smart glasses while speaking Russian, apparently to provide the threat actors with a live view of the office environment. Another member of the group reportedly called the lawyer pretending to be from FedEx to lure him away from his desk while the intruder attempted to insert a USB device into the computer. The attempt was reportedly blocked by the firm’s cyber defences.
The FBI has stated that there have been “numerous physical access attempts” by the group across cities in the US. CNN reports that investigators suspect the group has hired people in the US to attend law firm offices in person and plug in thumb drives to bypass security controls that may prevent remote deployment.
The group appears to be focused on data extortion rather than pure ransomware encryption. Its objective is said to be the theft of sensitive client information from law firms to increase leverage in ransom negotiations. If payment is not made, the threat is that stolen data will be leaked.
The group is believed by some researchers to have links to former members of the Conti ransomware gang, that the FBI is investigating and tracing payments using blockchain analysis, and that at least two US law firms received extortion letters by post demanding payment in cryptocurrency or cash.
So what?
This matters because it shows a notable shift from purely remote cyber-attacks to blended cyber physical intrusion tactics.
Law firms are high value targets because they hold confidential client data, commercially sensitive documents, litigation strategy, transaction materials and personal data. Physical access can help attackers bypass technical controls, particularly where remote access is blocked. The reported tactics also show increasingly sophisticated social engineering, combining phone impersonation, physical presence, timing, deception and potentially live remote guidance.
This type of incident extends the threat beyond the IT function. Reception staff, facilities teams, executive assistants and fee earners may all become part of the attack surface. The use of in person operatives and posted extortion letters also suggests that some threat actors are willing to escalate beyond conventional phishing or network intrusion to increase pressure on victims.
The incidents highlight potential weaknesses in visitor verification, front of house controls, internal IT identity checks, staff readiness to challenge unusual in person requests, device control policies and coordination between cyber security and physical security teams.
For professional services and other data rich sectors, this is a warning that threat models need to account for hybrid attacks. Organisations may already have strong email, endpoint and perimeter controls, but still be exposed if an attacker can persuade staff to allow physical access or connect a device to the network.
If a similar incident led to unauthorised access to personal data, organisations could face UK GDPR and Data Protection Act 2018 breach assessment and possible reporting duties, as well as contractual notification obligations, confidentiality concerns and legal professional privilege issues. Even though the reported activity took place in the US, the underlying risks are directly relevant to UK organisations holding sensitive or regulated information.
What should I do?
Organisations, particularly law firms and other professional services businesses, should take practical steps to reduce exposure to this type of threat.
As an immediate step, staff should be reminded that no one should be allowed to access a workstation, inspect equipment or connect a device without prior internal verification. Teams should be warned about impersonation of IT support, couriers and other trusted functions. It would also be sensible to review recent visitor logs and CCTV for unusual, attempted visits, and to confirm that endpoint controls block or tightly restrict unauthorised USB devices.
From a technical perspective, organisations should disable or tightly limit USB mass storage access where possible, ensure endpoint detection and response tooling is active and monitored, and review application control and device control policies. Monitoring should also be in place for suspicious activity such as attempts to disable security tools, unusual removable media usage, anomalous logins and file access patterns that may suggest data staging or exfiltration.
Physical and procedural controls should also be reviewed. IT staff should be subject to clear identification and ticketing procedures for desk side support. Reception and front of house teams should be trained to verify visitors independently rather than relying on confident pretexts. Organisations should also ensure staff feel able to challenge unexpected visitors, and should review whether access controls, CCTV coverage and visitor management processes are sufficient.
Training should cover fake IT support calls, courier impersonation, tailgating, malicious USB devices and urgent requests designed to bypass normal process. Incident response plans should also be tested against scenarios involving both cyber and physical intrusion, with clear coordination between cyber security, facilities, building management, insurers and law enforcement where needed.
It would also be sensible to ask the IT or security team a few focused questions:
- Unauthorised access: Are unauthorised USB devices blocked across the organisation
- Verification: How do staff verify whether an IT support visit is genuine
- First line of defence: Would reception know how to handle a visitor claiming to be from IT or a supplier
- Joint resources: Do we have a bonded response between cyber security and physical security
- Response time: Can we quickly investigate attempted physical access using logs, CCTV and badge data?
For further information, organisations should monitor relevant alerts and guidance from the FBI, CISA, vendors and, for UK organisations, the National Cyber Security Centre.