GOOGLE Threat Intelligence Group (GTIG) warns of a financially motivated campaign targeting business process outsourcing (BPO) organisations to steal data from high-value companies. Tracked as UNC6783, the threat actor is potentially linked to a ‘Raccoon’ persona used by a hacker who claimed the theft of Adobe data from a BPO, according to GTIG.
GTIG notes that UNC6783 has conducted social engineering and phishing campaigns across multiple industries, predominantly focussing on compromising BPOs and their support and helpdesk staff to gain trusted access for extortion. The group uses live chats to lure employees to spoofed Okta login pages and a phishing kit that steals clipboard contents to bypass standard multi-factor authentication. Following data exfiltration, UNC6783 has been known to use Proton Mail accounts to deliver ransom notes, and Mr. Raccoon claims to have exported the entire Adobe database from the platform with a single request.