In June, a Google corporate Salesforce instance experienced activity consistent with UNC6040, prompting an impact analysis and mitigation. The affected instance stored contact information and related notes for small and medium-sized businesses, and investigators confirmed that data was accessed during a short window before the connection was severed. Retrieved data was limited to basic, largely public business information such as names and contact details. GTIG tracks extortion campaigns following UNC6040 intrusions under UNC6240; these campaigns contact employees by phone or email, demand bitcoin within 72 hours, and often claim the ShinyHunters identity. GTIG documents a shift from Salesforce Data Loader to custom Python exfiltration tools and voice phishing routed through Mullvad VPN or TOR, with automated TOR-based data collection complicating attribution.
In June, one of Google's corporate Salesforce instances was affected by activity consistent with the UNC6040 campaign described in the post. Google responded by conducting an impact analysis and implementing mitigation steps. The affected instance stored contact information and related notes for small and medium-sized businesses. Investigators confirmed that data was accessed during a short window before the connection was severed. The retrieved data was limited to basic, largely public business information such as names and contact details.
The Google Threat Intelligence Group (GTIG) tracks extortion campaigns following UNC6040 intrusions under the designation UNC6240, which typically unfold months after the initial data breach. The attackers contact employees of the affected organization via phone or email, demanding bitcoin payments within 72 hours. Throughout these engagements, UNC6240 has repeatedly claimed to be the group ShinyHunters. GTIG believes that actors using the ShinyHunters moniker may be planning to escalate their tactics by launching a data leak site (DLS).
GTIG has documented an evolution in UNC6040's tactics, techniques, and procedures (TTPs). Initially dependent on Salesforce's Data Loader application, the group has since transitioned to custom Python-based applications that perform similar data-exfiltration functions. The updated attack chain typically begins with a voice phishing call, often conducted through Mullvad VPN or TOR IP addresses. After engaging the victim, the group automates data collection via TOR, further complicating attribution efforts.
Collection
[
|
...
]