Full Report
A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. [...]
Analysis Summary
# Threat Actor: UNC6783
## Attribution & Identity
- **Name:** UNC6783
- **Known Aliases:** "Raccoon" or "Mr. Raccoon" (potential linkage/persona).
- **Associations:** Associated with recent breaches involving major service providers and potentially linked to the threat actor behind the CrunchyRoll data breach.
## Activity Summary
UNC6783 is a financially motivated group that specializes in "indirect" compromises by targeting **Business Process Outsourcing (BPO)** providers. By gaining a foothold in the BPO environment, they pivot to high-value client organizations. Their primary goal is the exfiltration of sensitive internal data (specifically Zendesk support tickets) for the purpose of extortion.
## Tactics, Techniques & Procedures
- **Social Engineering:** Extensive use of live chat manipulation to target support and helpdesk staff.
- **Phishing:** Deployment of spoofed Okta login pages hosted on domains impersonating target companies (e.g., `[.]zendesk-support[.]com`).
- **MFA Bypass:** Use of specialized phishing kits that can steal clipboard contents to bypass Multi-Factor Authentication (MFA).
- **Device Registration:** Registering unauthorized attacker-controlled devices within the victim organization's identity provider once credentials/MFA are intercepted.
- **Malware Delivery:** Distributing fake security updates used to deliver Remote Access Trojans (RATs).
- **Extortion:** Contacting victims via encrypted email services (ProtonMail) with payment demands after successful data exfiltration.
## Targeting
- **Sectors:** Business Process Outsourcing (BPO), Technology, Entertainment, and various high-value corporate sectors.
- **Geography:** Global operations reported; specific mention of targeting India-based BPOs.
- **Victims:**
- **Adobe:** Alleged breach of 13 million support tickets (unconfirmed by Adobe).
- **CrunchyRoll:** Linked via threat actor claims.
- **Dozens of corporate entities:** General targeting of helpdesk ecosystems.
## Tools & Infrastructure
- **Malware:** Remote Access Trojans (RATs).
- **Phishing Infrastructure:** Spoofed Okta login pages; domains following the pattern `[targetname][.]zendesk-support[.]com`.
- **Communication:** ProtonMail addresses for extortion communications.
## Implications
UNC6783 represents a sophisticated threat to the supply chain, specifically targeting the "trust relationship" between a corporation and its outsourced support partners. By capturing support tickets, the actor gains access to a goldmine of PII, employee records, internal documents, and vulnerability data (such as HackerOne submissions), providing significant leverage for high-stakes extortion.
## Mitigations
- **Authentication:** Deploy hardware-based FIDO2 security keys to replace SMS or TOTP-based MFA, which are vulnerable to the actor's phishing kits.
- **Monitoring:** Actively monitor live chat sessions for suspicious links or social engineering attempts.
- **Domain Squatting Defense:** Proactively block or monitor domains matching the pattern `*[.]zendesk-support[.]com`.
- **Audit Trails:** Regularly audit MFA device enrollment logs to identify and remove unauthorized devices.
- **BPO Security:** Implement stricter access controls and auditing for third-party BPO providers accessing internal support platforms.