Zero-day lets nation-state spies cross-examine elite US law firm Williams & Connolly

Washington's elite law firm Williams & Connolly has confirmed that attackers exploited a zero-day vulnerability to access a handful of attorney email accounts in what it believes was a nation-state-linked cyberattack.

In a statement, the firm said it "recently discovered a cybersecurity incident involving access to certain systems on our network," and that the attackers had "leveraged what is known as a zero-day attack." It added that, based on an investigation conducted with CrowdStrike, the threat actor was affiliated with a nation-state group "responsible for recent attacks on a number of law firms and companies."

Williams & Connolly stated that there was no evidence that confidential client data had been extracted from its databases, which store sensitive case files.

Williams & Connolly added that it had "blocked the threat actor" and found "no evidence of any unauthorized traffic" remaining on its network.

The breach is particularly sensitive given the firm's high-profile client roster, which includes Bill and Hillary Clinton, Theranos founder Elizabeth Holmes, and major players in the technology, healthcare, and media industries.

While the firm stopped short of naming the country it believes responsible, some reports have attributed the intrusion to China-linked hackers. That aligns with a September advisory from Google's Threat Analysis Group and Mandiant, which warned that China-nexus threat clusters had been exploiting multiple zero-day vulnerabilities to infiltrate the US legal sector and gather intelligence on national security and international trade.

According to Google, the attackers maintain long-term stealthy access to victim networks, averaging 393 days before detection, by planting custom malware on systems that don't typically run endpoint security tools, such as VPN appliances, VMware vCenter servers, and other edge devices. Once inside, they've been observed cloning virtual machines, creating rogue admin accounts, and using "common techniques to conduct bulk email access and exfiltration from Microsoft 365 Exchange Online."

Eau no! Dior tells customers their data was swiped in cyber snafu

READ MORE

An apparently similar campaign is thought to have breached more than a dozen law firms and technology companies in recent months. The intrusions reportedly focused on collecting information from attorneys and corporate advisors involved in politically or economically sensitive cases.

• Clop raid on Oracle E-Business Suite started months ago, researchers warn
• Microsoft blames Medusa ransomware affiliates for GoAnywhere exploits while Fortra keeps head buried
• Level-10 vuln lurking in Redis source code for 13 years could allow remote code execution
• India's tech talent pipeline is sputtering

Law firms have long been a prime target for state-backed espionage, serving as convenient proxies for intelligence gathering. They often hold confidential communications, deal data, and litigation materials tied to government policy and corporate negotiations, information far more difficult to extract directly from official or corporate systems.

With clients spanning former presidents and Fortune 100 companies, Williams & Connolly's inboxes are an attractive target for adversaries seeking leverage or insight into the US legal and policy apparatus.

Neither Williams & Connolly nor CrowdStrike has stated which zero-day flaw was used, although the firm's wording suggests that the exploit was patched only recently or remains unpatched elsewhere. "Williams & Connolly is committed to protecting the confidentiality and security of its clients' data," the firm said, adding that it continues to work with in-house and external cybersecurity experts to strengthen its defences.

For a law firm accustomed to arguing landmark cases, it's an unwelcome reminder that in Washington, even the best defences can be out-litigated by a zero-day. ®