Full Report
Google has disclosed details of a financially motivated threat cluster that it said "specialises" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion. The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with
Analysis Summary
# Threat Actor: UNC6040
## Attribution & Identity
* **Identification:** Financially motivated threat cluster tracked by Google Threat Intelligence Group (GTIG).
* **Aliases and Associations:** Exhibits characteristics aligning with threat groups tied to the online cybercrime collective known as **The Com**.
* **Claimed Affiliations (During Extortion):** UNC6040 has claimed affiliation with the hacking group **ShinyHunters** during extortion attempts to increase pressure on victims.
* **Tactical Overlap:** Shows overlaps with **Scattered Spider** due to targeting Okta credentials and heavy reliance on IT support impersonation via social engineering.
## Activity Summary
UNC6040 specializes in voice phishing (vishing) campaigns focused on breaching organizations' Salesforce instances for large-scale data theft followed by extortion, sometimes occurring several months post-intrusion. The core activity involves:
1. **Vishing:** Operators impersonate IT support personnel in convincing telephone-based social engineering engagements, targeting English-speaking employees.
2. **Salesforce Compromise:** Tricking victims into authorizing a modified version of Salesforce's Data Loader application (with alternative branding like "My Ticket Portal") to connect to their Salesforce environments, granting unauthorized access.
3. **Lateral Movement and Data Exfiltration:** Using the initial Salesforce access as a foothold to pivot laterally across the network to harvest data from other platforms, including Okta, Workplace, and Microsoft 365.
4. **Extortion:** Engaging in extortion activities, often months later, based on the stolen data.
## Tactics, Techniques & Procedures
- Voice Phishing (Vishing)
- Social Engineering (Impersonating IT support personnel)
- Deception to gain authorization for malicious applications
- Use of legitimate bulk data tools in a modified form (Data Loader abuse)
- Lateral movement across cloud environments post-initial compromise
- Attempted data extortion
## Targeting
* **Sectors:** Organizations utilizing Salesforce environments (implied by the focus on breaching Salesforce instances).
* **Geography:** Implied international targeting based on the use of English-speaking employees as targets.
* **Victims:** Organizations with Salesforce, Okta, Workplace, and Microsoft 365 deployments targeted for data exfiltration. Specific organization names were not mentioned in the summary.
## Tools & Infrastructure
* **Malware Families Used:** A modified, deceptively branded version of **Salesforce Data Loader**.
* **Infrastructure:** Not explicitly detailed, but the mechanism relies heavily on voice communication (vishing).
## Implications
UNC6040 presents a high-impact threat due to its successful combination of sophisticated vishing with application-layer abuse targeting critical cloud service providers (Salesforce). Their patience in executing extortion—waiting several months post-intrusion—complicates detection and response timelines, as the initial breach may be assumed contained. The linkage to established groups like The Com and the use of the ShinyHunters name for extortion suggests organized criminal enterprise involvement focused purely on data theft and monetization.
## Mitigations
- Enhance monitoring and controls around Salesforce 'Connected Apps' setup/authorization processes.
- Scrutinize requests from alleged IT support personnel via phone, requiring multi-factor verification or alternative secure communication channels before granting system access or approving application installations.
- Harden controls and MFA for Okta, Workplace, and Microsoft 365, as these are secondary targets post-Salesforce breach.
- Train employees specifically on vishing techniques impersonating internal IT staff.