UNC6783 Hackers Target BPOs for Zendesk Ticket Heists

A new threat actor, dubbed UNC6783, is employing a sophisticated strategy to infiltrate high-value corporations by targeting their business process outsourcing (BPO) providers. Google Threat Intelligence Group (GTIG) reported that this campaign has already impacted dozens of companies across various sectors, with the primary objective being the exfiltration of sensitive data for extortion purposes. UNC6783’s modus operandi typically involves social engineering and phishing attacks aimed at BPO employees. However, the group has also been observed directly contacting support and helpdesk staff within targeted organizations to gain unauthorized access.

According to GTIG, UNC6783 utilizes convincing phishing pages, often hosted on subdomains impersonating legitimate company domains, to steal credentials. These pages are designed to trick support employees into entering their Okta login details. Notably, the phishing kits deployed can capture clipboard contents, a tactic that can bypass multi-factor authentication (MFA) and allow attackers to register their own devices with the compromised organization. In some instances, UNC6783 has also distributed fake security updates to deploy remote access malware. Following data exfiltration, victims are reportedly extorted via ProtonMail, with demands for payment.

GTIG researchers suggest a potential link between UNC6783 and a threat actor persona known as Raccoon, which has previously targeted BPOs serving large enterprises. While the full scope of this connection is still under investigation, the evolving tactics highlight the critical need for robust security measures extending beyond direct corporate perimeters into the supply chain.