Cyber Threat Actor: Cravath Swaine & Moore LLP
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
The threat actor referenced by the aliasCravath Swaine & Moore LLP is identified in open‑source reporting as operating from the United States of America. The alias appears to be a deliberate masquerade, employing the name of a legitimate law firm to conceal malicious activity and to lend an appearance of credibility during intrusions. Public sources note that the actor’s location is inferred from the geographic focus of its victims and the investigative jurisdiction of U.S. authorities. No additional details about the actor’s infrastructure, size, or sponsorship have been disclosed in the material provided.
In the intrusion first reported on 2015‑06‑01, the actor obtained initial access through stolen credentials and subsequently deployed malware that enabled continuous monitoring of the compromised network. The malware was used to search for and exfiltrate material non‑public information, such as details of impending corporate transactions, which could be leveraged for illicit stock market activities. Security analysts observed that the stolen employee and client records also created opportunities for follow‑on phishing or financial fraud, highlighting the actor’s interest in harvesting sensitive business intelligence from repositories of privileged data. The FBI investigated whether the accessed data facilitated illicit stock market activities, and similar breaches were noted across multiple law firms to exploit corporate client details. The observed pattern—credential theft followed by monitoring‑oriented malware—has been described as a repeatable tactic in these incidents.
Beyond the 2015 case, reporting describes a broader campaign in which the actor repeatedly targeted several U.S. law firms to gather confidential client information that could inform securities‑market manipulation. This activity aligns with the broader criminal tactic of targeting professional organizations for privileged data to manipulate securities markets, as noted in the source material. No public attribution to a state sponsor or a known criminal consortium has been made available in the open sources consulted. The actor’s use of a legitimate‑sounding alias underscores how adversaries adapt seemingly benign identifiers to conduct prolonged, low‑profile intrusions against high‑value targets.
