This past week, two seemingly unrelated news stories highlighted a critical, often overlooked reality: physical security and cybersecurity are tightly coupled, yet are too often isolated silos from each other.
The first story involved a group of unidentified individuals caught on camera opening a manhole cover and disappearing into the New York City sewer system. See it: Group uncovers manhole, disappears into sewers of Queens. The second detailed a sophisticated threat actor group targeting U.S. law firms using an aggressive combination of phone calls and physical office visits to deploy ransomware. https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
While miles apart in execution, both incidents scream the same urgent question: Is failing physical security leaving your organization wide open to a cyber catastrophe?
Lessons from the Underground: The Sewer Infrastructure Threat
When video surfaced of a group uncovering a manhole and descending into the Queens sewer system, internet comment sections immediately lit up with jokes about the Teenage Mutant Ninja Turtles or the Mario Brothers. But in the world of Operational Technology (OT) and critical infrastructure, this is no laughing matter.
Unauthorized physical access to municipal sewer systems means direct physical access to their control and monitoring systems. Many of these legacy OT systems communicate unencrypted via older protocols like Modbus or DNP3.
Gaining physical proximity to this hardware does more than expose localized data; it provides a beachhead for lateral movement. Because wastewater and broader utility networks often share data collection and visualization infrastructure further up the network topology, an attacker inside a sewer node could theoretically pivot to more critical infrastructure, like drinking water treatment systems. Much like a botnet lying silently dormant inside compromised IoT devices, this type of physical infiltration is a textbook reconnaissance operation—and a massive security nightmare.
The New “Help Desk” Threat: Physical Infiltration at Law Firms
Meanwhile, a report from Google Mandiant and the Google Threat Intelligence Group (GTIG) shed light on a highly coordinated campaign targeting dozens of professional, legal, and financial services organizations. The threat actor group behind it—tracked as UNC3753 (also known as Chatty Spider or Silent Ransom Group)—is proving that old-school social engineering vectors never truly die; they just get upgraded.
UNC3753 has been executing a sophisticated playbook that combines digital deception with physical audacity. Their primary targets are senior-level, non-IT professionals who hold the keys to highly confidential data. Lawyers, financial executives, and insurance partners fit this profile perfectly.
What makes this campaign particularly alarming is its speed and physical component. In some instances, attackers aren’t just calling; they are physically walking into corporate offices, bypassing front desks, and attempting to exfiltrate data or drop malware directly via removable media. By blending social engineering with real-world foot traffic, these attackers are achieving their extortion goals within a single day.
Bridging the Gap: How to Protect Your Enterprise
Organizations can no longer afford to treat physical security and cybersecurity as separate departments. If a threat actor can physically touch your hardware or walk onto your floor, your digital firewalls won’t save you.
To defend against these hybrid threats, enterprises must rethink their posture:
- Stop Outsourcing Your Trust: In professional settings like high-rise law offices, tenants often falsely assume that physical security is entirely handled by building management or the facilities team. This is a highly risky assumption. Regardless of whether you lease or own your premises, your enterprise must enforce its own strict physical access policies.
- Enforce Zero-Trust Physical Access: Standard physical security principles dictate that no one—regardless of whether they claim to be an IT contractor, a utility worker, or a delivery person—gains access to operational spaces without rigorous, independent verification.
- Deploy Automated Monitoring and Forensics: Relying on human awareness training isn’t enough. Organizations need automated endpoint security and IoT/OT monitoring solutions that provide immediate alerts the moment a policy violation occurs—such as an unauthorized USB drive being plugged into a machine or a tamper sensor triggering on a remote enclosure.
The Bottom Line
Whether it’s a nation-state actor mapping out vulnerabilities beneath city streets or a financial extortion group walking right through your front doors, attackers know that the easiest way around a digital firewall is a physical backdoor. It’s time to lock both. Viakoo uniquely bridges that gap with a platform designed to ensure that physical security systems are always working as they should, and that cybersecurity is maintained by all OT systems being visible, operational, and secure.
