The FBI Cyber Division has issued warnings since spring 2023 documenting the group's evolving tactics. As of March 2025, SRG shifted to direct vishing calls impersonating legitimate IT personnel. By April 2025, the group began conducting in-person visits to target locations to physically insert storage devices for data theft. The group's origin remains unconfirmed, though analysts assess likely Russian affiliation. Law firms remain the primary target, though healthcare and insurance sectors have also been hit.
Law firms should treat this as an active operational threat. The malware-free approach means traditional endpoint detection will miss initial compromise. Immediate steps include enforcing multi-factor authentication across all remote access tools, restricting or eliminating consumer remote desktop software like Zoho Assist and AnyDesk, and conducting security awareness training focused on vishing tactics. Any unauthorized remote access attempts or suspicious in-person requests for device access should be reported immediately to the FBI Cyber Division.