Overview
- Google's Threat Intelligence Group, which published its warning on Thursday, detailed how UNC6783 has hit several dozen companies by breaking into business process outsourcers and, at times, in‑house helpdesks to reach many clients through a single provider.
- The crew steers support staff in live chats to fake Okta sign‑in pages on domains that mimic Zendesk patterns, then uses a phishing kit that grabs clipboard contents to beat standard MFA and enroll attacker devices for lasting access.
- Investigators also saw fake security updates that install remote‑access malware, followed by theft of support tickets and internal data and ransom notes sent from Proton Mail accounts.
- Researchers noted a possible tie to a persona called Raccoon as outlets reported an unconfirmed claim that an India‑based supplier handling Adobe support was compromised and had millions of tickets taken.
- GTIG urged defenses that include FIDO2 hardware security keys for phishing‑resistant MFA, closer monitoring of live‑chat interactions, blocking look‑alike Zendesk‑style domains, checks on new MFA device enrollments, and alerts for unauthorized installers.