A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors. According to the Google Threat Intelligence Group (GTIG), dozens of corporate entities have been targeted, resulting in the exfiltration of sensitive data for extortion.
Austin Larsen, GTIG principal threat analyst, states that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs. The hackers have also contacted support and helpdesk staff within targeted organizations to gain direct access.
Researchers suggest that UNC6783 may be linked to a persona known as Raccoon, which has previously targeted multiple BPOs. In social engineering attacks via live chat, the threat actor directs support employees to spoofed Okta login pages on domains impersonating those of the target company, specifically following the pattern [.]zendesk-support<##>[.]com.
Larsen notes that the phishing kit used in these attacks can steal clipboard contents, allowing attackers to bypass multi-factor authentication (MFA) protection and register their devices with the organization. Google has noted attacks where UNC6783 delivered fake security updates to install remote access malware.
After obtaining sensitive data, the threat actor extorts victims, contacting them via ProtonMail addresses with payment demands. While GTIG did not provide additional details about Raccoon, International Cyber Digest reported that someone using the alias “Mr. Raccoon” claimed responsibility for a breach at Adobe, which the company has yet to confirm.
Mr. Raccoon alleged to have accessed Adobe data by compromising an India-based BPO associated with the company. The attacker purportedly deployed a remote access trojan (RAT) on an employee’s computer and targeted the employee’s manager in a phishing attack.
The attacker claimed to have stolen 13 million support tickets, which included personal data, employee records, HackerOne submissions, and internal documents. In discussions with BleepingComputer, the threat actor behind the CrunchyRoll breach confirmed their involvement in the Adobe attack but did not provide evidence.
Google’s Mandiant has recommended several defenses against UNC6783 attacks. Recommendations include deploying FIDO2 security keys for MFA, monitoring live chat for abuse, blocking spoofed domains matching Zendesk patterns, and regularly auditing MFA device enrollments.
