Cyber Incident Victim: Cravath Swaine & Moore LLP
Date:
Jul 2015
Location:
United States of America
Summary
Cravath Swaine & Moore LLP experienced a network compromise by hackers targeting confidential information for insider trading, alongside another major law firm. The FBI investigated breaches potentially enabling illicit stock market gains through unauthorized access to material non-public data. Attackers utilized stolen credentials and malware to infiltrate and monitor corporate networks, part of a broader campaign prompting federal warnings to the legal sector. Compromised systems risked exposure of sensitive client details and employee records, heightening vulnerabilities to subsequent phishing and social engineering exploits. Law firms were specifically targeted due to their role in handling privileged corporate intelligence and trade secrets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-2015, hackers breached the computer networks of Cravath Swaine & Moore LLP, a prominent US law firm specializing in financial services and corporate law. The intrusion was discovered during an FBI investigation that began in 2015 and expanded to include a similar breach at Weil Gotshal & Manges LLP. Attackers used stolen credentials to gain privileged access, infected systems with malware, and monitored networks for material non-public information related to corporate clients' business ventures. The FBI determined the breaches were part of a coordinated insider trading scheme where criminals sought advance knowledge of mergers, acquisitions, or earnings announcements to place strategic stock market bids. By February 2016, investigators identified connections to cybercriminal forums where actors advertised phishing services specifically targeting international law firms, with one Russian forum post explicitly naming potential target firms. The Financial Services Information Sharing and Analysis Center (FS-ISAC) and cybersecurity firm Flashpoint disseminated warnings about the campaign, noting its focus on patent and intellectual property attorneys who handle sensitive corporate data.
The FBI issued a Private Industry Notification alerting law firms that attackers were maintaining persistent network access to harvest confidential client information prior to public disclosures. Forensic analysis revealed the hackers sought two primary data types: insider information for stock manipulation and executive email lists for future phishing operations targeting large corporations. This incident mirrored a separate 2015 case where hackers breached newswire services like PR Newswire to steal earnings reports, resulting in SEC charges against 32 individuals. At Cravath, compromised systems potentially exposed employee credentials and client records, creating risks for secondary fraud schemes. The firm coordinated with federal investigators to assess breach scope while advising staff to monitor financial accounts, verify email sources, and reset vulnerable passwords. No public confirmation emerged regarding whether stolen data was successfully used for illicit trades, though the FBI's ongoing investigation suggested operational connections between the law firm intrusions and international trading networks.