Google Warns of UNC6783 Hacking Group Targeting BPOs in Data Theft Extortion Scheme
Google’s Threat Intelligence Group (GTIG) has identified a new cybercriminal group, UNC6783, linked to an individual operating under the alias "Raccoon." The group is conducting data theft extortion attacks against high-value organizations by infiltrating Business Process Outsourcers (BPOs) third-party firms handling customer service, technical support, and other critical functions for larger corporations.
By compromising BPOs, UNC6783 gains indirect access to the primary targets’ systems. The group employs a custom phishing kit to bypass security measures, initiating attacks through social engineering tactics in live chat windows. Hackers pose as legitimate support agents, directing employees to fake Okta login pages with deceptive domains (e.g.,
In addition to phishing, UNC6783 deploys fake security updates that install Remote Access Trojans (RATs), allowing remote control of infected systems. After exfiltrating data, the group sends ransom notes via Proton Mail.
Google and Mandiant recommend FIDO2 security keys (e.g., Titan Security Keys) over SMS-based authentication, along with monitoring live chat logs, blocking suspicious Zendesk-pattern links, and auditing enrolled devices to prevent unauthorized access.
Industry experts highlight the shift in tactics: John Watters (iCOUNTER CEO) notes that UNC6783 exploits trusted partner relationships, while Mika Aalto (Hoxhunt CEO) emphasizes the group’s use of psychological manipulation to bypass technical defenses. Both stress the need for ecosystem-wide security and realistic employee training to counter such threats.
Source: https://hackread.com/unc6783-hackers-fake-okta-pages-corporate-breach/
High Value Target cybersecurity rating report: https://www.rankiteo.com/company/high-value-target
"id": "HIG1775831599",
"linkid": "high-value-target",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Customer Service', 'Technical Support'],
'type': 'Business Process Outsourcers (BPOs)'}],
'attack_vector': ['Phishing',
'Social Engineering',
'Remote Access Trojans (RATs)'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (credentials, '
'clipboard data)',
'sensitivity_of_data': 'High (credentials, PII)',
'type_of_data_compromised': ['Credentials',
'Clipboard data',
'Sensitive corporate '
'information']},
'description': 'Google’s Threat Intelligence Group (GTIG) has identified a '
'new cybercriminal group, UNC6783, linked to an individual '
"operating under the alias 'Raccoon.' The group is conducting "
'data theft extortion attacks against high-value organizations '
'by infiltrating Business Process Outsourcers (BPOs) '
'third-party firms handling customer service, technical '
'support, and other critical functions for larger '
'corporations. By compromising BPOs, UNC6783 gains indirect '
'access to the primary targets’ systems. The group employs a '
'custom phishing kit to bypass security measures, initiating '
'attacks through social engineering tactics in live chat '
'windows. Hackers pose as legitimate support agents, directing '
'employees to fake Okta login pages with deceptive domains. '
'Once credentials are entered, attackers steal clipboard data '
'to enroll their own devices for persistent access. In '
'addition to phishing, UNC6783 deploys fake security updates '
'that install Remote Access Trojans (RATs), allowing remote '
'control of infected systems. After exfiltrating data, the '
'group sends ransom notes via Proton Mail.',
'impact': {'brand_reputation_impact': 'Potential damage to brand reputation '
'of affected organizations',
'data_compromised': 'Credentials, clipboard data, sensitive '
'corporate information',
'identity_theft_risk': 'High (due to stolen credentials and PII)',
'operational_impact': 'Potential disruption of customer service '
'and technical support operations',
'systems_affected': 'BPO systems, primary target systems accessed '
'via BPOs'},
'initial_access_broker': {'backdoors_established': 'Remote Access Trojans '
'(RATs)',
'entry_point': 'BPOs via phishing and social '
'engineering',
'high_value_targets': 'Primary organizations via '
'compromised BPOs'},
'lessons_learned': 'Exploitation of trusted partner relationships and '
'psychological manipulation in social engineering attacks. '
'Need for ecosystem-wide security and realistic employee '
'training.',
'motivation': 'Financial gain through extortion',
'post_incident_analysis': {'corrective_actions': ['FIDO2 security keys',
'Monitoring live chat logs',
'Blocking suspicious links',
'Auditing enrolled devices',
'Employee training'],
'root_causes': ['Exploitation of trusted partner '
'relationships',
'Social engineering tactics',
'Fake Okta login pages']},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Use FIDO2 security keys over SMS-based authentication',
'Monitor live chat logs',
'Block suspicious Zendesk-pattern links',
'Audit enrolled devices',
'Implement realistic employee training'],
'references': [{'source': 'Google’s Threat Intelligence Group (GTIG)'},
{'source': 'Mandiant'}],
'response': {'remediation_measures': ['FIDO2 security keys (e.g., Titan '
'Security Keys)',
'Monitoring live chat logs',
'Blocking suspicious Zendesk-pattern '
'links',
'Auditing enrolled devices'],
'third_party_assistance': 'Google’s Threat Intelligence Group '
'(GTIG), Mandiant'},
'threat_actor': 'UNC6783 (alias: Raccoon)',
'title': 'UNC6783 Hacking Group Targeting BPOs in Data Theft Extortion Scheme',
'type': 'Data Theft Extortion',
'vulnerability_exploited': 'Trusted partner relationships, fake Okta login '
'pages, clipboard data theft'}