Cyber Incident Victim: Weil Gotshal & Manges LLP
Date:
Jun 2015
Location:
United States of America
Summary
A US law firm experienced a network compromise where attackers used stolen credentials and malware to monitor systems for material non-public information, potentially facilitating insider trading schemes. The FBI investigated whether accessed data enabled illicit stock market activities, with similar breaches targeting multiple firms to exploit corporate client details. Security analysts noted compromised employee and client records could enable further phishing or financial fraud, emphasizing law firms' vulnerability as repositories of sensitive business intelligence. The incident reflected broader criminal tactics targeting professional organizations for privileged data to manipulate securities markets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
In 2015 and early 2016, hackers compromised the computer networks of prominent US law firms Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, with the Cravath breach traced to summer 2015. The FBI initiated an investigation to determine whether attackers accessed material non-public information to facilitate insider trading schemes. According to an FBI Private Industry Notification shared by Robinson+Cole’s Data Privacy and Security Team leader Linn Foster Freedman, the attackers monitored compromised law firm networks for confidential business venture information, which collaborators with stock market expertise then allegedly used to place strategic bids for illicit profits. The scheme formed part of a broader campaign targeting multiple international law firms, evidenced by a February 2016 job posting on an underground Russian forum where a hacker advertised phishing capabilities and identified specific firms as targets. Another criminal actor had previously solicited hackers on cybercrime forums to establish sustained access to law firm networks.
Security firm Flashpoint and the Financial Services Information Sharing and Analysis Center (FS-ISAC) disseminated warnings about these attacks. Investigators determined that threat actors used stolen credentials to gain privileged access, deployed malware to infect computers, and monitored activity to collect sensitive data. The FBI assessed that stolen information could enable insider trading, while compromised employee and client records risked further exploitation through spear-phishing and social engineering attacks. Affected individuals were advised to monitor accounts for fraud, avoid unverified email links/attachments, change potentially compromised passwords, and update security software. The incident highlighted law firms’ attractiveness as targets due to their repositories of corporate trade secrets, merger details, and executive contact information, which could be weaponized for financial crimes or sold on black markets. This followed a similar August 2015 SEC case involving hackers and traders who stole earnings announcements from newswire services to manipulate securities markets.