Google’s Threat Intelligence Group (GTIG) recently disclosed that a hacker group codenamed "UNC6783" is frequently using third-party outsourcing providers as a springboard to illicitly access highly sensitive data from major enterprises. The group has been using this stolen data to extort victims, with dozens of companies already impacted.
Austin Larsen, lead threat analyst at GTIG, noted that UNC6783 primarily infiltrates business process outsourcing (BPO) providers through social engineering and phishing. Once inside an outsourcing provider's system, the hackers can trace the connection back to gain direct access to the large corporate clients they serve.
Phishing Attacks Targeting Customer Support Systems
Beyond standard system infiltration, the hacker group is also directly targeting corporate customer support staff. During live chat interactions, attackers induce support agents to visit fraudulent Okta login pages. These phishing sites mimic the target company's domain, typically utilizing a naming convention like "[.]zendesk-support[.]com."
Larsen explained that these phishing kits are capable of stealing clipboard contents and bypassing multi-factor authentication (MFA), allowing attackers to successfully register their own devices as trusted endpoints. Additionally, the group has been known to push remote access trojans (RATs) disguised as fake security updates.
The group is believed to be linked to the hacker known as "Raccoon." Previous reports indicated that Raccoon successfully obtained internal Adobe data by compromising an Indian outsourcing firm. The attacker claimed to have stolen 13 million support tickets, including employee records, internal documentation, and vulnerability reports submitted via HackerOne. While Adobe has not confirmed these claims, the hacker has been active in analyses linking them to other cybersecurity incidents.
After completing the data theft, UNC6783 contacts victims via encrypted ProtonMail accounts to issue ransom demands.
In response to these threats, Google’s Mandiant has released defensive recommendations. Companies should deploy FIDO2 security keys to strengthen MFA, enhance monitoring of live chat channels, and regularly audit MFA device registrations. Furthermore, security teams should closely monitor and block fraudulent domains mimicking the Zendesk pattern to disrupt the attackers' phishing pathways.