Google’s Threat Intelligence Group (GTIG) has issued a warning about a new cyber campaign aimed at business process outsourcing (BPO) companies. The attackers, identified as UNC6783, are targeting these organizations to extract sensitive information related to high-value firms. The campaign is suspected to be linked to a hacker persona known as ‘Raccoon’, who recently claimed responsibility for stealing data from a third-party Adobe supplier.
Phishing and Social Engineering Tactics
According to Austin Larsen, GTIG’s principal threat analyst, UNC6783 is employing sophisticated social engineering and phishing strategies to breach multiple industries. The primary targets are BPOs working with high-profile companies. These attackers focus on infiltrating support and helpdesk staff to gain trusted access, facilitating data theft for extortion purposes.
The assailants use live chat interactions to deceive employees into accessing spoofed Okta login pages. A phishing toolkit is also in use to capture clipboard contents, circumventing standard multi-factor authentication (MFA) processes. GTIG reports that the attackers create fake Zendesk support pages mimicking the targeted organization’s domain to reinforce their scams.
Persistent Access and Extortion Techniques
By exploiting employee credentials, the hackers enroll their own devices within the compromised network, ensuring continued access. GTIG notes that the attackers deploy fake security software updates to trick victims into downloading remote access malware. After data exfiltration, UNC6783 uses Proton Mail accounts to send ransom demands, leveraging stolen data for extortion.
The tactics described by GTIG align with previous claims by a hacker known as Mr. Raccoon, who boasted of stealing extensive Adobe data from an Indian BPO firm. This data allegedly includes personal details of 15,000 employees, millions of support tickets, and bug bounty submissions.
Implications and Industry Response
The attack reportedly began with a phishing email targeting a BPO support agent, who unknowingly activated a remote access trojan (RAT). This action granted the hacker full control over the agent’s system. Further reconnaissance allowed the attacker to send a second phishing email using the employee’s address, leading to the compromise of managerial credentials for a support platform. With these credentials, Mr. Raccoon claimed to have extracted the entire Adobe database in one request.
SecurityWeek has reached out to Adobe for comments on these claims and will provide updates if the company responds. This incident underscores the critical need for robust cybersecurity measures, especially for BPOs handling sensitive corporate data.
Related reports highlight similar security breaches, including the Eurail data breach affecting 300,000 people and a data security incident at Lloyds impacting 450,000 individuals.
