Fake IT Support Staff Are Walking in to US Law Firms to Steal Data

The recent wave of walk‑in attacks on U.S. law firms marks a shift from purely digital espionage to a hybrid model that blends social engineering with physical intrusion. By entering reception areas with pre‑loaded USB drives, threat actors can bypass firewalls, endpoint protection, and multi‑factor authentication that protect corporate networks. Legal practices are especially attractive because they store privileged client communications, merger documents, and litigation strategies that can be monetized on the dark web or used for extortion. This evolution forces security teams to extend their threat horizon beyond the endpoint.

The campaign has been tied to UNC3753, a Russian‑origin group also operating under the monikers Silent Ransom Group, Luna Moth and Chatty Spider. Since 2022 the gang has refined sophisticated phishing lures, but the walk‑in method adds a low‑tech shortcut to harvest data directly from laptops or network storage without triggering alerts. FBI and Mandiant alerts note that the actors often pose as internal IT staff, exploiting the trust placed in help‑desk personnel. Their dual‑vector approach complicates detection, as traditional email filters miss the physical component while video surveillance rarely captures the brief, credential‑free entry.

To mitigate this emerging risk, law firms should adopt a zero‑trust model that verifies every individual, regardless of claimed role, before granting device access. Mandatory badge checks, escorted visitor policies, and real‑time USB port control software can stop unauthorized storage devices at the door. Training programs must emphasize that legitimate IT support never asks employees to plug in unknown media, and incident response plans should include procedures for physical breach scenarios. As regulators tighten data‑privacy mandates, firms that proactively harden both digital and physical layers will protect client confidentiality and avoid costly litigation.