Narayan AmmachchiThe Google Threat Intelligence Group (GTIG) has identified a sophisticated cyber campaign by a threat group tracked as UNC6783, which is targeting Business Process Outsourcing firms as an entry point to access their high-value corporate clients.
Security analysts believe the group is linked to the “Mr. Raccoon” persona, previously associated with a major data breach involving third-party service providers connected to Adobe.
The attackers rely on high-pressure social engineering tactics, particularly through live chat interactions, to manipulate helpdesk and support staff. By impersonating technical support personnel, they direct employees to spoofed login portals and deploy advanced phishing kits designed to harvest sensitive data.
A key element of the attack involves redirecting victims to fake Okta sign-in pages. The phishing toolkit is engineered to capture clipboard data, allowing attackers to bypass conventional multi-factor authentication (MFA) safeguards.
Once inside a BPO’s network, the threat actors register their own devices to establish persistent access. This enables them to exfiltrate sensitive corporate data, which is then leveraged for extortion and ransom operations.
Austin Larsen, principal threat analyst at GTIG, noted that the group primarily focuses on compromising BPO providers that serve targeted enterprises, using them as a gateway into larger corporate ecosystems.
Security experts recommend that BPO firms adopt stronger authentication measures such as FIDO2 security keys and closely monitor for unauthorized MFA device registrations to defend against these evolving attack techniques.
Add comment