ILLINOIS, UNITED STATES – The Google Threat Intelligence Group (GTIG) has issued a warning that a financially motivated threat actor, UNC6783, will target BPO firms to steal data from their high-value clients.
GTIG suspects that UNC6783 is Raccoon, the hacker who claimed responsibility for the large-scale Adobe data theft from an Indian BPO firm.
How UNC6783 Steals Data
GTIG found that UNC6783 compromises BPOs through social engineering. GTIG principal threat analyst Austin Larsen says they have seen the attackers target the support and helpdesk staff of BPO firms directly “to gain trusted access and steal sensitive data for extortion operations.”
According to a report from SecurityWeek, UNC6783 uses live chats to lure employees to spoofed Okta login pages, a phishing kit that steals clipboard content to bypass MFA verification, and fake Zendesk support pages to pose as the BPO’s domain. Afterward, the attackers will enroll their devices to gain access to the compromised environment.
Another thing that Larsen and GTIG have observed is that attackers use fake security software updates to deliver remote-access malware, followed by ransom notes sent through Proton Mail accounts.
