China-linked cyber campaign targeting law firms warns Google

Law firms have become the focus of a stealthy hacking campaign that experts say is among the most serious they have seen in years. The operation, which security researchers have tied to a group with links to China, uses a type of malicious software called BRICKSTORM to quietly break into computer systems and remain hidden there for more than a year.

According to Google’s Threat Intelligence Group and its cybersecurity arm Mandiant, the attackers are not after quick wins. Instead, they spend months silently monitoring email, stealing sensitive documents, and mapping out ways to break into not just the firms themselves but also their clients and partners. For law firms, this means highly confidential communications — including case strategy, regulatory filings, and commercial contracts — could already be in the wrong hands without anyone knowing.

“The attackers aren’t just breaking into law firms for the sake of it,” said Ensar Seker, chief information security officer at SOCRadar. “Once they get access to those systems, they get access to downstream clients. That creates a multiplier effect.”

Why Law Firms Are at Risk

Unlike technology companies, many law firms still rely on older or less-protected systems. BRICKSTORM is designed to take advantage of exactly that weakness. The malware installs itself on devices such as firewalls, VPNs, or servers that often sit outside the reach of traditional security tools. By doing so, it avoids the usual alarms and can operate undetected.

Researchers found that once the hackers gained entry, they would sometimes wait weeks or even months before making a move. In some cases, the malware even included built-in “delays,” lying dormant until the right moment to activate. On average, investigators said the hackers remained hidden inside a network for about 393 days — far longer than most organizations keep detailed logs. That means by the time suspicious activity is noticed, much of the evidence may already be gone.

The Bigger Picture

For insurers, this campaign highlights a growing supply-chain risk. Law firms are deeply embedded in the insurance ecosystem — they handle claims litigation, advise on regulatory matters, and represent carriers in disputes. If their systems are compromised, the exposure doesn’t stop at the firm. Confidential client information, intellectual property, and even privileged communications could be exfiltrated, creating ripple effects for the insurers they serve.

Cybersecurity experts say the attackers are also collecting technical data to build new “zero-day” exploits — undiscovered flaws that can be used for future attacks. In effect, they are not only stealing information but also creating tools to break into other systems later.

What Firms Should Do

To defend against these threats, Google and Mandiant recommend that law firms and their clients:

• Scan backup systems and devices for traces of BRICKSTORM, since it often hides in places normal security tools do not check.

• Strengthen logging and monitoring of servers and management systems, and keep records longer than usual to spot suspicious behavior.
• Segment and secure management interfaces (such as for VPNs or virtualization software), using multi-factor authentication and strict access controls.
• Map third-party connections — especially outside counsel relationships — to understand where sensitive data may be exposed if a partner is compromised.

Why It Matters for Insurance

For insurers, the threat is twofold. First, a breach at a law firm could expose case strategy and privileged claims information. Second, cyber underwriters face a growing aggregation challenge: one law firm breach could impact dozens of insured clients. That scenario raises questions about how policy wording, exclusions, and limits address risks that spread across supply chains.

As Mandiant’s Charles Carmakal put it, UNC5221 — the group behind the campaign — has been “the most prevalent adversary in the U.S. over the past several years.” For the insurance industry, that means law firms are not just soft targets, but potential gateways into a much larger risk landscape.