Google's Threat Intelligence Group (GTIG) has discovered a series of targeted cyberattacks orchestrated by a financially motivated threat cluster it tracks as “UNC6040,” with hackers posing as the ShinyHunters extortion group. The attackers are using advanced social engineering tactics, including voice phishing (vishing), to steal sensitive data from multinational companies via their Salesforce platforms.
According to GTIG, the attackers contact English-speaking employees while impersonating IT support personnel. During these calls, they convince victims to install a malicious version of Salesforce's Data Loader, which as a legitimate tool used to import, export, or modify data in Salesforce environments. The attackers exploit Salesforce’s OAuth-based ‘connected apps’ functionality, tricking victims into linking the rogue application to the organization’s systems via a fraudulent connection code.
Once connected, the malicious Data Loader is used to exfiltrate sensitive customer and corporate data from Salesforce instances. GTIG says the attackers then pivot laterally across other connected platforms, including Okta, Microsoft 365, and Meta's Workplace, in search of additional valuable information such as authorization tokens, internal documents, and private communications.
To make the scheme more believable, the attackers disguise the malicious tool with plausible names like “My Ticket Portal” and often reach out under the pretense of resolving technical issues. In several cases, the group was observed using IP addresses linked to Mullvad VPN during the data exfiltration process to mask their origin.
GTIG said that the team observed phishing pages mimicking Okta login portals in the campaign, a tactic similar to cybercrime groups like “The Com” and Scattered Spider.
While some data exfiltration attempts were thwarted by enterprise security tools, GTIG noted that the attackers adapted quickly experimenting with different data packet sizes to avoid detection.
