The Google Threat Intelligence Group (GTIG) has raised alarms regarding a new hacker collective identified as UNC6783, which is actively targeting large corporations for data theft extortion. Austin Larsen, a leading analyst at GTIG, notes that this group may be associated with an individual operating under the alias Raccoon.
To date, UNC6783 has successfully infiltrated numerous high-profile organizations across various sectors by breaching the defenses of Business Process Outsourcers (BPOs). These companies, which provide essential services like customer support and technical assistance, serve as gateways for attackers to access the primary systems of their larger corporate clients.
Methods of Deception
Larsen indicates that UNC6783 employs an advanced phishing kit to evade conventional security measures. Their approach begins with social engineering tactics, wherein attackers initiate conversations via live chat, masquerading as helpful representatives while directing employees to fraudulent login pages mimicking the legitimate Okta service used by many organizations. These counterfeit sites often feature domain names designed to appear authentic, such as
When an unsuspecting employee attempts to log in, the hackers extract information directly from the user’s clipboard. This tactic facilitates the enrollment of the attackers’ devices into the company’s security framework, allowing them to maintain persistent access to the targeted system.
Disguised Threats
Research from GTIG highlights additional methods used by the hackers to deceive employees. They frequently disseminate notifications about non-existent security software updates, which, when downloaded, install a Remote Access Trojan (RAT) instead of benign software. This malware grants hackers remote control over the infected systems. Once they have extracted the required data, they issue ransom notes through Proton Mail.
To mitigate these risks, experts from Mandiant and Google recommend that businesses adopt physical security keys, such as Titan Security Keys, as an alternative to SMS-based verification codes. These keys utilize the FIDO2 standard, which presents a significantly tougher challenge for potential intruders. Organizations should also routinely monitor chat logs and block any suspicious URLs that mimic those associated with Zendesk. Regular audits of authorized devices can further defend against unauthorized access.
Expert Insights
Furthermore, Watters asserts that Raccoon is not merely attacking companies but instead targeting the very relationships that sustain their operations. He warns that without adequate defensive measures in place, businesses are inadvertently leaving vulnerabilities through third-party systems.
Mika Aalto, Co-Founder and CEO at Hoxhunt, points out that the psychological manipulation employed by these attackers is designed to circumvent robust security systems. He notes that rather than breaching defenses outright, these hackers capitalize on human psychology to gain access. Focusing on helpdesk teams is particularly effective, given their regular handling of sensitive information. Aalto advises that organizations implement realistic training simulations to enhance employee awareness of potential threats and encourage prompt reporting of suspicious activities.