When an executive at a US law firm’s phone rang in April, the voice on the other end was urgent: A computer virus was spreading through the firm.
The caller said they were from IT support and needed physical access to the lawyer’s computer because remote fixes to stop the attack weren’t working. The lawyer told his purported colleague to swing by his desk at the law firm’s office in New Jersey.
The next day, the firm’s receptionist called: The lawyer had a visitor from IT at the front desk.
“That’s when an alarm bell went off: Why would an IT person need to check in with reception?” said Leeann Nicolo, who handles incident response for cybersecurity insurance firm Coalition, which the law firm hired to investigate the incident.
The visitor ran out of the building when the lawyer approached the front desk, according to Nicolo.
It’s one of several incidents at law firms across the country in the last year in which, the FBI and private investigators suspect, the Russian-speaking Silent Ransom Group has hired people in the US to show up in-person and plug thumb drives into law firms’ computers. The physical access could help bypass anti-virus protections that the hackers run up against from afar.
The group’s millions of dollars in returns contrasts with its modest investments: In a private Telegram channel, the group is offering $500 to people to visit law firms and plug in USB sticks, one cybersecurity professional familiar with the incidents told CNN.
The hired hands are “cannon fodder” for the Russian-speaking cybercriminals — expendable assets in a much larger cybercrime war, the source said. It’s a rare and risky tactic for hackers to undertake because it leaves a trail of evidence, including surveillance footage, that the FBI can pore over.
Cybercriminals “are getting increasingly bold in what they recruit people to do over the internet,” a law enforcement official who tracks the group told CNN.
The goal of these brazen operations is to strengthen the criminals’ hands in multimillion-dollar ransom negotiations by obtaining sensitive data on the law firms’ clients. If the firms don’t pay up, the hackers leak the stolen information.
Hacking alone has already netted Silent Ransom Group a fortune. They have extorted roughly $100 million from law firms in the last six months alone, according to an estimate from a cybersecurity executive who has facilitated ransom payments to the group. Other sources familiar with the group estimated it had extorted at least tens of millions of dollars.
When hacking from afar doesn’t yield enough data for a big score, the group has tried to up the ante by outsourcing burglary. Hired hands have visited major US cities, including New York and Washington, D.C., CNN has found.
In another case, a man posing as IT support entered another US law firm and began speaking Russian into his smart glasses. That was likely intended to give the cybercriminal group a live look at the computers in the building, according to another cybersecurity researcher familiar with the case.
Before the intruder reached the desk of the lawyer whose computer he wanted to compromise, another member of the crime group called the lawyer’s cell phone, posing as a FedEx dispatcher to lure him away from this desk. The intruder plugged in the thumb drive, but the law firm’s cyber defenses blocked the attack, the researcher said.
“My expectation is that they’re targeting every major law firm in the US,” the cyber executive involved in payments to the group told CNN.
Silent Ransom Group is the only “data extortion group” the FBI is aware of that is physically accessing the proprieties of its victims, the bureau said in a statement to CNN.
There have been “numerous physical access attempts” by Silent Ransom Group in cities across the US, the FBI said. It declined CNN’s request for an interview with an FBI official focused on the cybercrime group.
Other cybercriminals have posed physical threats before, from “swatting” (in which a caller triggers a massive police response) to threatening violence. But most government and private security experts are still not trained to deal with cyber and physical threats at the same time.
“Many threat actors have found it easier to conduct things completely digitally, and therefore (the physical aspect) may be a threat that we don’t think about as much,” said Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group. “It may be a trend where individuals are more likely to trust someone who (shows up) in person because it’s not expected”
The Silent Ransom Group hackers are no strangers to the FBI. Cybersecurity researchers believe some of its members were involved in the infamous Conti ransomware gang that dissolved in 2022 after a Ukrainian man leaked thousands of the group’s internal chat logs in retaliation for Russia’s full-scale invasion of Ukraine. The leak included evidence that the hackers had connections with Russian intelligence.
The FBI spent years gathering evidence on Conti and tracking its members’ movements (one alleged member pleaded guilty in US court this month). The Ukrainian man told CNN that the FBI asked him to stop leaking the Conti files, apparently because it might interfere with the bureau’s investigation. Now, the FBI is building a case against the Silent Ransom Group by tracking law firms’ payments on the blockchain, multiple sources familiar with the investigation told CNN.
The investigation isn’t completely digital.
Over the last year, at least two US law firms have received extortion letters in the mail demanding payment in cryptocurrency or cash not to leak data allegedly stolen from the firms, according to Nicolo, the executive with cyber insurance firm Coalition. The return addresses on the envelopes were empty offices in Washington, DC, and Boston, she said, calling it “eerie.”
The letters were signed by a different cybercrime group, but Nicolo thinks it’s a false flag. The forensics show that Silent Ransom Group hacked at least one of the firms, she said.
“I think we are going to see more and more of that,” Nicolo said, referring to break-in attempts and other physical threats to victim organizations.
“It’s a fine line between hoping you get paid and/or hacking enough victims that you’re making money somewhere, and having to apply that next level of pressure,” she said.
Click Here For The Original Source.
