Lewis Brisbois limits remote work after cyberattack

Lewis Brisbois ordered remote and hybrid employees to work from offices or use firm-issued computers after a cyberattack led the law firm to block outside access to internal networks.

Bloomberg Law reported the order, citing internal emails, and said the disruption affects employees who rely on remote access to firm systems. No public client-service outage has been confirmed.

The timeline began at least June 5, when the firm’s information security director warned employees that attackers were calling workers, including on cellphones, while posing as internal IT staff and falsifying caller ID, according to Bloomberg Law.

Five days later, the firm told employees that all remote and hybrid workers must either work from an office or bring firm-issued computers home, according to emails viewed by Bloomberg Law.

“Until additional equipment can be purchased and distributed,” office administrator Elijah Bernal wrote, employees on remote or hybrid schedules would need to work in the office or take their office computer setup home, Bloomberg Law reported.

The report did not say that public-facing legal services were unavailable. It was not clear whether hackers successfully entered the firm’s network, and Lewis Brisbois had not responded to DysruptionHub’s request for comment by publication time.

The reported tactics match a recent FBI warning about Silent Ransom Group, also known as Luna Moth, Chatty Spider and UNC3753, but Lewis Brisbois has not publicly attributed the incident to that group.

The FBI said in a May 26 flash alert that Silent Ransom Group has targeted U.S. law firms since spring 2023 by posing as IT support through calls and phishing emails. The FBI said the group seeks access to victim computers through legitimate remote access tools or, in some cases, by sending a person to the victim’s office to gain physical access to machines.

Chip in once If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.

Tip us

Support us monthly A small monthly pledge keeps independent coverage and our reader tools online for everyone.

Become a Supporter

The FBI said the group typically conducts data theft and extortion without relying on traditional ransomware encryption. Google’s Mandiant and Google Threat Intelligence Group said this month that related activity targeted dozens of U.S. professional, legal and financial services organizations from January through May, often using impersonation calls, screen-sharing sessions and remote management tools to reach sensitive files.

DysruptionHub found no public claim of responsibility in a review of known ransomware and extortion leak sites before publication. The overlap in tactics reflects a known law-firm threat pattern, not confirmation of who was behind the Lewis Brisbois incident.

Lewis Brisbois lists offices in more than 50 locations across the United States, with a heavy California presence that includes Los Angeles, San Francisco, San Diego, Sacramento and Orange County. Its national footprint also includes offices in major legal and business markets such as New York, Chicago, Washington, D.C., Boston, Atlanta, Dallas, Houston, Miami and Seattle.

The firm also promotes a national Data Privacy & Cybersecurity practice that advises clients on data privacy compliance, cyber risk management, breach response and litigation tied to data breach incidents. The firm says the practice handles sophisticated cyberattacks and events involving sensitive personal information, including cross-border breaches.

Lewis Brisbois’ recovery status remains unclear, and the known operational impact is limited to internal remote-work restrictions while the firm shifts employees to offices or firm-issued devices. The firm has not said whether attackers accessed its systems, whether client or employee data was exposed, when remote access will be restored, whether a ransom demand was received or whether law enforcement is involved.

Attribution note: DysruptionHub credits upstream reporting and primary sources—see citations above. If this report informed your coverage, please cite DysruptionHub with a link.