“We are aware of several dozen high-value corporate entities targeted across multiple sectors.”
That’s Google Threat Intelligence’s Austin Larsen, dropping a bombshell in his latest blog post. Not hyperbole—real intrusions, real data theft, real extortion demands landing in inboxes via Proton Mail.
UNC6783. New name, old tricks. They’re not blasting mass emails. No, these guys — smooth-talking pros — hit call centers, BPOs, and helpdesks directly. Compromise the outsourcer? Boom, legitimate creds for the big fish clients. It’s the Scattered Spider playbook, refined.
Why Your Helpdesk Is a Sitting Duck
Look, BPOs handle the grunt work for giants—ticketing, support, resets. But security? Often an afterthought. UNC6783 knows this. They spoof Okta logins with domains like .zendesk-support<##>.com. Chat agents click, paste creds — clipboard stealers snag MFA codes. Then? Persistent access via enrolled devices.
Fake software updates seal the deal, dropping RATs. Google spotted it all. And here’s my take: this isn’t random. Market dynamics scream vulnerability. Global BPO spend hit $300 billion last year (Statista), yet breach reports from these firms? Crickets. Companies outsource risk, not defenses.
“The campaign relies on social engineering via live chat to direct employees to malicious, spoofed Okta login pages,” Larsen said.
Pure gold for attackers. One chat slip, and you’re in the cloud.
And Adobe? That Mr. Raccoon claim last week smells like UNC6783’s handiwork. Indian BPO employee RAT’d, manager phished, 13 million tickets swiped. Employee records, HackerOne bugs, internals—all out. vx-underground calls it legit. Adobe’s mum, naturally.
Is This the New Normal for Cloud Breaches?
Short answer: yes. Remember ShinyHunters? Same vector, MGM chaos. But UNC6783 scales it. Dozens hit already. Sectors? Finance, tech, you name it. Financially motivated—no nation-state flair, just cold cash.
Here’s my unique angle, absent from Google’s post: this echoes the 2016 Uber breach. Outsourced helpdesk in the Philippines, creds swiped, 57 million users exposed. History rhymes. Prediction? As cloud migration accelerates—Gartner says 85% of enterprises fully cloud by 2025—BPO attacks spike 40% yearly. Why? Cost-cutting trumps seg[regation]. Firms like Accenture, Genpact laugh to the bank while clients bleed data.
But Google’s sharp—linking to Raccoon. Persona games aside, it’s pro work. Proton for ransoms? OpSec tight.
So, does this strategy make sense for defenders? Hell no. You’re reactive, they’re proactive. Train helpdesk? Sure, but phishing kits evolve. MFA bypasses? Standard now. Zero-trust your vendors, or get owned.
What Broke—and What’s Next
Tactics unpacked: live chat social engineering. Phishing kits nab clipboard MFA. RATs via fake updates. BPO pivots to customer nets. Extortion follows.
Market truth: high-value targets pay. UNC6783 bets on it. We’ve seen $100k+ ransoms stick. Adobe’s silence? PR spin, betting on fade-out. Won’t work—data’s live on forums soon.
Unique critique: Google’s blog reads like a vendor pitch (Mandiant tie-in?). But facts land. No hype, just “several dozen.” Understatement? Probably hundreds brewing.
Defenses? Segment BPOs ruthlessly. AI chat filters? Emerging, but test ‘em. Hunt anomalies in Okta logs. It’s table stakes.
And the Adobe tie? If true, exposes SaaS giants’ underbelly. Helpdesk tickets = goldmines. PII, creds, internals. Raccoon’s brag: 15k employee records. Ouch.
Here’s the thing—enterprises, wake up. This crew’s just starting. Multi-sector blitz means no one’s safe. Invest now, or fund the next Proton inbox.
🧬 Related Insights
- Read more: North Korea’s Shadow Coders Flood npm, PyPI, Go, and Rust with 1,700 Toxic Packages
- Read more: GrafanaGhost: Attackers Weaponize Grafana’s AI for Stealthy Data Heists
Frequently Asked Questions
What is UNC6783 and how do they attack?
UNC6783 is a new extortion group tracked by Google, using helpdesk phishing, BPO compromises, and MFA bypasses to steal corporate data for ransom.
Did UNC6783 breach Adobe?
Likely yes—Mr. Raccoon’s claimed Adobe hack via Indian BPO matches UNC6783 tactics, per Google and malware analysts.
How can companies stop helpdesk phishing?
Segment vendor access, monitor Okta anomalies, train on chat social engineering, and enforce zero-trust for BPOs.
