Legal & Professional Services Threat Intelligence
Ransomware, espionage, and data theft targeting law firms, accountancies, and consultancies holding high-value M&A, litigation, and client privilege data.
Flash Briefings
RansomHub Affiliates Targeting UK Law Firms During Active M&A Mandates
Multiple UK and European law firms have been hit by RansomHub-affiliated actors during live M&A transactions. The timing is deliberate: attackers maximise leverage by striking when client pressure to resolve the incident is highest.
APT10 Renews MSP Targeting in UK and Europe — Cloud Hopper Techniques Persist
China's APT10 has resumed systematic targeting of UK managed service providers and professional services firms, using the same supply chain pivot techniques that characterised the Cloud Hopper campaign — now adapted for cloud-managed tenants.
Lazarus Group Extends Cryptocurrency Targeting to UK Exchanges and Law Firm Custodians
North Korea's Lazarus Group has extended its cryptocurrency theft operations to UK-regulated digital asset exchanges and the law firms that provide custody and compliance services to crypto clients — combining financial theft with intelligence collection.
LockBit Resurgence: Affiliate Network Active Across UK Healthcare and Professional Services
Despite Operation Cronos and the February 2024 infrastructure seizure, LockBit-affiliated actors continue to operate under the LockBit 3.0 and successor infrastructure. UK healthcare and professional services organisations have been among the most recent confirmed victims.
First Confirmed AI-Built Zero-Day: Google Thwarts Mass Exploitation Campaign
A threat actor used a large language model to write a working 2FA bypass exploit for a widely deployed open-source admin tool. Google's threat intelligence team detected the planned mass exploitation campaign before it launched. The code left distinctive LLM fingerprints.
FIN7 Pivots to Financial Services with New Phishing Infrastructure and Loader Malware
The FIN7 group has refreshed its phishing infrastructure and is deploying a new loader variant against mid-tier UK and European financial institutions. Targets include wealth managers, brokers, and payment processors.
Deep Analysis
AI in the Attack Chain: How Threat Actors Are Using Language Models Operationally
AI-assisted exploitation is no longer theoretical. From automated vulnerability research to AI-generated spear-phishing, the adoption of LLMs across the offensive lifecycle is accelerating. This analysis examines what is confirmed, what is emerging, and what it means for defenders.
Scattered Spider: When Social Engineering Becomes a Professional Discipline
The group behind the MGM Resorts and Caesars Entertainment attacks isn't a nation-state operation or a seasoned criminal enterprise. They're young, English-speaking, and they're better at manipulating people than most security teams are at stopping them.
Commentary
The Data That Nation-States Actually Want Is Sitting in Your Document Management System
Law firms and professional services firms are among the most intelligence-rich targets in the UK economy. Understanding why clarifies the threat — and why perimeter security alone is the wrong response.
Why Ransomware Groups Don't Die When You Arrest Their Leaders
The ransomware-as-a-service model has created a resilient criminal infrastructure that survives law enforcement actions, FBI seizures, and individual prosecutions. Understanding why is the first step to defending against it.
Nation-State Threats: What Business Leaders Get Wrong and Why It Matters
Most executives conflate nation-state cyber activity with the ransomware threat they're more familiar with. They are different in purpose, method, and the defences required. Getting this wrong shapes your entire risk posture.