Stealth mode attack means your firm may already be compromised
Law firms have become the latest target in a sophisticated cyberespionage campaign traced to a Chinese state-linked hacking group, researchers at Google and Mandiant have warned.
The attackers, known as UNC5221, are said to have deployed a backdoor called BRICKSTORM which allows them to infiltrate and control victims’ networks over extended periods, often exceeding a year. By focusing on law firms and their privileged communications, the group has positioned itself to gain access not only to sensitive legal files but also to the clients and industries those firms represent.
Investigators believe that the hackers have quietly harvested emails, case documents and technical data since at least March this year. The malware, written in the Go programming language, exploits flaws in systems that are often overlooked by traditional security tools, such as firewalls and virtualisation servers. Once inside, it can disguise itself as routine administrative activity, making detection extremely difficult.
Ensar Seker, chief information security officer at SOCRadar, said the tactic offered attackers far more than a single breach. “By infiltrating legal services firms, they gain pathways into their clients and partners, giving them a multiplier effect on reach,” he warned.
The average length of time that the malware remains undetected is estimated at 393 days, significantly longer than the log-retention period for most systems. This means firms may struggle to trace what has been taken, or even to know when a compromise first occurred.
The threat is particularly acute for legal practices because of the highly sensitive nature of the data they hold. Litigation strategies, merger negotiations, and confidential client communications could all be exposed. For international practices, there is the added danger that adversaries may be seeking intelligence relevant to global trade disputes or regulatory matters.
Charles Carmakal, chief technology officer at Google’s Mandiant arm, described UNC5221 as “the most prevalent adversary in the US over the past several years”, citing the frequency and sophistication of its operations.
Officials at the Chinese Embassy in Washington dismissed the accusations, stating that China “opposes and combats all forms of cyberattacks and cybercrimes” and calling attribution of such attacks “a complex technical issue”.
Google and Mandiant have published guidance and a diagnostic tool to help organisations determine whether BRICKSTORM has been deployed within their networks. Recommendations include:
The campaign underscores the growing vulnerability of law firms in the global cyber landscape. Legal practices have long been regarded as soft targets by threat actors, combining access to high-value information with often less robust security investment than their corporate clients.
