2026-06-27T10:30:26.217Z / 美国有线电视新闻网(CNN)
今年4月,美国一家律所的一名高管接到一通电话,电话另一端的声音十分急切:有电脑病毒正在律所内部传播。
来电者自称是IT支持人员,表示远程修复无法阻止此次攻击,需要亲自接触该律师的电脑。该律师以为对方是同事,便让对方直接到他位于新泽西州律所办公室的工位前来。
次日,律所的前台打来电话:这名律师有一位自称来自IT部门的访客正在前台等候。
“那一刻我才警觉:为什么IT人员需要向前台报备?”李安·尼科洛说道。该律师所在的律所聘请了 cybersecurity保险公司Coalition负责事件响应,尼科洛正是该公司的职员。
据尼科洛透露,当该律师走向前台时,这名访客径直跑出了办公楼。
这只是过去一年全美多起律所事件中的一起。美国联邦调查局(FBI)和私家侦探怀疑,操俄语的“沉默赎金”团伙雇佣了美国境内的人员,亲自上门并将U盘插入律所电脑。通过这种实体接触,黑客能够绕过远程攻击时遭遇的杀毒软件防护。
该团伙投入微薄,回报却高达数百万美元。一位熟悉此类事件的网络安全从业者告诉CNN,该团伙在一个私人Telegram频道中开出500美元的酬劳,雇佣人员前往律所并插入U盘。
这位消息人士称,这些被雇佣者是操俄语网络犯罪分子的“炮灰”,是这场大规模网络犯罪战争中的可牺牲资产。对于黑客而言,这是一种罕见且高风险的手段,因为这会留下包括监控录像在内的大量证据,可供FBI追查。
一名追踪该团伙的执法官员告诉CNN:“网络犯罪分子越来越大胆,会在互联网上招募人员从事各类活动。”
这些胆大妄为的行动目的,是通过获取律所客户的敏感数据,增强犯罪分子在数百万美元赎金谈判中的筹码。如果律所拒绝支付赎金,黑客就会泄露窃取到的信息。
仅靠远程黑客攻击,“沉默赎金”团伙已经获利颇丰。一位曾协助向该团伙支付赎金的网络安全高管估算,仅过去六个月,该团伙就从律所勒索了约1亿美元。其他熟悉该团伙的消息人士则估计,其勒索金额至少为数千万美元。
当远程黑客攻击无法获取足够数据以实现高额勒索时,该团伙便尝试通过外包实体入侵来加码。CNN发现,被雇佣者已经前往包括纽约和华盛顿特区在内的美国主要城市作案。
在另一起案件中,一名伪装成IT支持人员的男子进入美国另一家律所,并开始对着智能眼镜说俄语。另一位熟悉此案的网络安全研究员表示,这很可能是为了让犯罪团伙实时查看楼内电脑的情况。
在入侵者抵达目标律师工位前,该犯罪团伙的另一名成员致电该律师手机,伪装成联邦快递调度员,将其从工位引开。研究员表示,入侵者插入了U盘,但律所的网络防御系统拦截了此次攻击。
“我预计他们会针对美国每一家大型律所展开行动,”参与向该团伙支付赎金的网络安全高管告诉CNN。
FBI在给CNN的一份声明中表示,“沉默赎金”团伙是FBI已知的唯一会实际侵入受害者场所的“数据勒索团伙”。
FBI称,“沉默赎金”团伙在美国各地城市实施了“多起实体入侵企图”。该机构拒绝了CNN对负责追查该网络犯罪团伙的FBI官员的采访请求。
此前也曾有其他网络犯罪分子发出过实体威胁,包括“误报警情引特警出动(swatting)”以及暴力威胁等。但大多数政府和私人安全专家仍未接受过同时应对网络和实体威胁的培训。
谷歌威胁情报集团网络犯罪与信息行动情报分析负责人吉纳维芙·斯塔克表示:“许多威胁行为者发现完全通过数字手段开展活动更加容易,因此(实体入侵)可能是我们未曾过多考虑的威胁。这或许会成为一种趋势:人们更有可能信任亲自上门的人,因为这种情况出乎意料。”
“沉默赎金”团伙的黑客早已为FBI所熟知。网络安全研究人员认为,该团伙的部分成员曾参与臭名昭著的Conti勒索软件团伙。2022年,一名乌克兰男子为报复俄罗斯全面入侵乌克兰,泄露了该团伙数千条内部聊天记录,导致Conti团伙解散。泄露的信息显示,这些黑客与俄罗斯情报机构存在关联。
FBI花费多年时间收集Conti团伙的证据,并追踪其成员行踪(一名涉案成员本月已在美国法院认罪)。这名乌克兰男子告诉CNN,FBI曾要求他停止泄露Conti文件,原因是这可能会干扰FBI的调查。多位熟悉调查的消息人士告诉CNN,如今FBI正通过追踪区块链上的律所付款,构建针对“沉默赎金”团伙的案件。
调查并非完全依赖数字手段。
网络保险企业Coalition的高管尼科洛表示,过去一年中,至少有两家美国律所收到了邮寄的勒索信,要求以加密货币或现金支付赎金,否则将泄露据称从律所窃取的数据。她透露,信封上的寄件地址是华盛顿特区和波士顿的空置办公室,称此举“令人毛骨悚然”。
这些信件落款的是另一个网络犯罪团伙,但尼科洛认为这是嫁祸。她表示,取证结果显示,“沉默赎金”团伙至少入侵过其中一家律所。
“我认为我们会看到越来越多此类情况,”尼科洛在谈及针对受害机构的入侵企图和其他实体威胁时说道。
“在希望能拿到赎金、或者通过攻击足够多的受害者获利,与必须施加更高层级的压力之间,界限非常微妙,”她说道。
When cybercriminals hire burglars: Inside an alleged Russian effort to infiltrate multibillion-dollar US law firms
2026-06-27T10:30:26.217Z / CNN
When an executive at a US law firm’s phone rang in April, the voice on the other end was urgent: A computer virus was spreading through the firm.
The caller said they were from IT support and needed physical access to the lawyer’s computer because remote fixes to stop the attack weren’t working. The lawyer told his purported colleague to swing by his desk at the law firm’s office in New Jersey.
The next day, the firm’s receptionist called: The lawyer had a visitor from IT at the front desk.
“That’s when an alarm bell went off: Why would an IT person need to check in with reception?” said Leeann Nicolo, who handles incident response for cybersecurity insurance firm Coalition, which the law firm hired to investigate the incident.
The visitor ran out of the building when the lawyer approached the front desk, according to Nicolo.
It’s one of several incidents at law firms across the country in the last year in which, the FBI and private investigators suspect, the Russian-speaking Silent Ransom Group has hired people in the US to show up in-person and plug thumb drives into law firms’ computers. The physical access could help bypass anti-virus protections that the hackers run up against from afar.
The group’s millions of dollars in returns contrasts with its modest investments: In a private Telegram channel, the group is offering $500 to people to visit law firms and plug in USB sticks, one cybersecurity professional familiar with the incidents told CNN.
The hired hands are “cannon fodder” for the Russian-speaking cybercriminals — expendable assets in a much larger cybercrime war, the source said. It’s a rare and risky tactic for hackers to undertake because it leaves a trail of evidence, including surveillance footage, that the FBI can pore over.
Cybercriminals “are getting increasingly bold in what they recruit people to do over the internet,” a law enforcement official who tracks the group told CNN.
The goal of these brazen operations is to strengthen the criminals’ hands in multimillion-dollar ransom negotiations by obtaining sensitive data on the law firms’ clients. If the firms don’t pay up, the hackers leak the stolen information.
Hacking alone has already netted Silent Ransom Group a fortune. They have extorted roughly $100 million from law firms in the last six months alone, according to an estimate from a cybersecurity executive who has facilitated ransom payments to the group. Other sources familiar with the group estimated it had extorted at least tens of millions of dollars.
When hacking from afar doesn’t yield enough data for a big score, the group has tried to up the ante by outsourcing burglary. Hired hands have visited major US cities, including New York and Washington, D.C., CNN has found.
In another case, a man posing as IT support entered another US law firm and began speaking Russian into his smart glasses. That was likely intended to give the cybercriminal group a live look at the computers in the building, according to another cybersecurity researcher familiar with the case.
Before the intruder reached the desk of the lawyer whose computer he wanted to compromise, another member of the crime group called the lawyer’s cell phone, posing as a FedEx dispatcher to lure him away from this desk. The intruder plugged in the thumb drive, but the law firm’s cyber defenses blocked the attack, the researcher said.
“My expectation is that they’re targeting every major law firm in the US,” the cyber executive involved in payments to the group told CNN.
Silent Ransom Group is the only “data extortion group” the FBI is aware of that is physically accessing the proprieties of its victims, the bureau said in a statement to CNN.
There have been “numerous physical access attempts” by Silent Ransom Group in cities across the US, the FBI said. It declined CNN’s request for an interview with an FBI official focused on the cybercrime group.
Other cybercriminals have posed physical threats before, from “swatting” (in which a caller triggers a massive police response) to threatening violence. But most government and private security experts are still not trained to deal with cyber and physical threats at the same time.
“Many threat actors have found it easier to conduct things completely digitally, and therefore (the physical aspect) may be a threat that we don’t think about as much,” said Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group. “It may be a trend where individuals are more likely to trust someone who (shows up) in person because it’s not expected”
The Silent Ransom Group hackers are no strangers to the FBI. Cybersecurity researchers believe some of its members were involved in the infamous Conti ransomware gang that dissolved in 2022 after a Ukrainian man leaked thousands of the group’s internal chat logs in retaliation for Russia’s full-scale invasion of Ukraine. The leak included evidence that the hackers had connections with Russian intelligence.
The FBI spent years gathering evidence on Conti and tracking its members’ movements (one alleged member pleaded guilty in US court this month). The Ukrainian man told CNN that the FBI asked him to stop leaking the Conti files, apparently because it might interfere with the bureau’s investigation. Now, the FBI is building a case against the Silent Ransom Group by tracking law firms’ payments on the blockchain, multiple sources familiar with the investigation told CNN.
The investigation isn’t completely digital.
Over the last year, at least two US law firms have received extortion letters in the mail demanding payment in cryptocurrency or cash not to leak data allegedly stolen from the firms, according to Nicolo, the executive with cyber insurance firm Coalition. The return addresses on the envelopes were empty offices in Washington, DC, and Boston, she said, calling it “eerie.”
The letters were signed by a different cybercrime group, but Nicolo thinks it’s a false flag. The forensics show that Silent Ransom Group hacked at least one of the firms, she said.
“I think we are going to see more and more of that,” Nicolo said, referring to break-in attempts and other physical threats to victim organizations.
“It’s a fine line between hoping you get paid and/or hacking enough victims that you’re making money somewhere, and having to apply that next level of pressure,” she said.
发表回复