Key points:
- Google and Mandiant identify UNC5221 as an espionage group targeting U.S. law firms.
- Hackers deploy BRICKSTORM malware to maintain long-term access to systems.
- Average dwell time is 393 days, far above the global average of 10 days.
- Intrusions focus on national security, international trade, and intellectual property.
U.S. law firms are facing cyberattacks from a hacking group with suspected links to China, according to a warning issued by Google’s Threat Intelligence Group and Mandiant. The campaign, attributed to a group identified as UNC5221, employs a backdoor known as BRICKSTORM to maintain persistent access to compromised systems.
The attackers’ primary objective is espionage. They focus on national security, trade, and intellectual property matters by infiltrating law firms, technology providers, and other industries. “The targeting of the U.S. legal space is primarily to gather information related to U.S. national security and international trade,” the warning said.
UNC5221 collects technical information to identify software vulnerabilities, enabling long-term access and lateral movement across networks. Google’s Doug Bienstock emphasized the scale of the threat, noting that while the average global dwell time for intrusions is 10 days, UNC5221 typically remains undetected for over a year—averaging 393 days.
The group is suspected of links to China but has not been officially equated with other well-known China-based actors. In March, Microsoft identified “Silk Typhoon” as a Chinese espionage group exploiting remote management tools, though Mandiant says it treats UNC5221 separately.
Law firms are particularly vulnerable because of their role in patent disputes, insurance matters, mergers, and acquisitions. According to Storm Guidance CEO Neil Hare-Brown, “Their goal is the theft of intellectual property, and they target law firms by first compromising their technology suppliers.”
The legal industry is not the only target. SaaS providers, business process outsourcers, and technology companies have also been hit since March 2025. Mandiant reports that some attacks focused on developer and system administrator emails, while others targeted individuals tied to economic and geopolitical matters of interest to Beijing.
Other groups also remain active against the sector. Silent Ransom, a separate cybercrime gang, has been linked to more than 50 law firm breaches, including Am Law 100 firm Fenwick & West. The convergence of espionage-driven campaigns and profit-motivated ransomware highlights a growing, multifaceted threat to legal services.
