The nexus between cyber and physical security is taking a new shape as bad actors increasingly use a physical point of attack to access sensitive data, reports show.
This spring, a cyber threat enterprise called Silent Ransom Group, or SRG, has been targeting law firms and organizations, using information technology-themed engineering calls and people posing as IT support to gain access to servers to steal sensitive data, according to a notification from the Federal Bureau of Investigation.
“Starting Spring 2023, the group has consistently targeted U.S.-based law firms, likely due to the highly sensitive nature of legal industry data,” the FBI said in its notice. The group has also targeted medical and insurance organizations, the notice states.
“As of April 2025, SRG was observed changing their tactics to calling individuals and posing as an employee from the victim’s IT department,” the FBI said. “SRG then sent an individual in person to access the computer and insert a storage device into the computer.”
Google cybersecurity company Mandiant says it’s seeing similar incursions.
“For January through May 2026, [we] identified a financially motivated data theft extortion campaign … targeting dozens of organizations across professional, legal, and financial services in the United States,” the company said on Friday.
These incursions often take the form of a person talking their way into a facility.
Bad actors are discovering that people’s inclination to trust someone who’s standing in front of them works to their advantage, Heath Mullins, former Forrester cybersecurity analyst and chief evangelist at ExtraHop, told Facilities Dive.
An infiltrator might say they’re late for their next call and just need to put toner in the printer or make a single change because something’s unplugged, Mullins said in an interview. “And [they’re] being very nice and generous about it,” he said. “It’s not a bot you’re talking to; it’s an actual human being, and that is a huge weak spot.”
Once in, an infiltrator can act quickly, according to Mandiant.
In many incidents, “the entire attack sequence — from initial target contact to data theft and extortion — occurred within a single business day,” the company’s report said. “Recently, Mandiant observed data searches, staging, and theft initiated in under an hour.”
It’s not uncommon for someone at the front desk not to be aware of everything that happens within an information technology organization, Mullins said. “They just know that nothing’s on the schedule, but here’s somebody saying they are supposed to be there,” he said. “I just haven’t received notification yet, and that’s extremely common.”
The integration of in-person, physical intrusions represents an escalation in threat capability that organizations must prepare for, Mandiant said. “Physical corporate boundaries are frequently protected only by administrative procedures,” it said.
These types of attacks will become more common, though they’re likely to be concentrated in organizations that don’t have multilayered physical security in place, according to Mullins.
“I would say the more sophisticated organization has less chance of that happening, because they’re going to have armed guards or real physical controls, where not only can they see you, but you can’t make it to the elevator,” he said. “And then they have to send the elevator for you. That’s going to be harder to do, but not impossible, because … it comes down to churn and character.”
Countermeasures
To protect themselves, facilities holding sensitive information should introduce multiple steps of authentication to their physical security posture, like two-factor authentication on work devices for physical access management.
The FBI recommends facility security leaders verify the credentials of people accessing firm spaces, conduct staff training on restricting phishing attempts, maintain regular backups of company data and develop communication policies regarding when and how company IT staff will authenticate themselves.
“Implement rigid out-of-band identity verification controls for all external contractors, technical staff, and facilities visitors,” Mandiant recommended in its post. The company also says to —
- Require visitors to display credentials and photo identification.
- Require front-desk staff to copy and log physical visitor IDs before granting access.
- Verify the arrival of technicians against pre-scheduled work orders with the verified parent organization or helpdesk dispatcher.
- Enforce a policy requiring physical technical service personnel to be escorted by a corporate supervisor at all times.
It’s possible to tighten security without making access onerous, Mullins said. “The harder you make it, the more likely they are to try and circumvent it,” through methods like piggybacking, he said.
Increased security steps should be taken in tandem with a change management process, because making stepped-up processes work requires a culture change, Mullins said.
Operators should think about the times when physical security teams tend to slip, he said. “When does that occur? It’s the middle of the night,” he said. “Everybody’s tired. Nobody cares. I’ve personally seen lots of guys snoring.”
Lapses like that open a window for a threat actor to slip a device into a USB port or perform some keystrokes on a laptop.
“Physical security is very different from cybersecurity, but there are common themes,” Mullins said. “You don’t trust anyone. You track everyone. You verify everyone. And what did they touch? What did they do? How long were they there? Are they supposed to be here? It all comes down to verification of that individual.”
