Full Report
A new threat group is targeting business process outsourcers (BPOs) and large enterprises for extortion using live chat channels, Google has warned. Google Threat Intelligence Group (GTIG) principal threat analyst, Austin Larsen, said UNC6783 is a financially motivated threat cluster that may be tied to the “Raccoon” persona. The group has targeted several dozen “high-value…
Analysis Summary
# Threat Actor: UNC6783
## Attribution & Identity
- **Name/Alias:** UNC6783
- **Known Associations:** Google Threat Intelligence Group (GTIG) indicates the cluster may be tied to the **"Raccoon"** persona.
- **Identity:** A financially motivated threat cluster identified and tracked by Google.
## Activity Summary
- **Recent Campaigns:** UNC6783 has been observed targeting "high-value corporate entities" for extortion.
- **Operations:** The group specifically exploits BPO (Business Process Outsourcing) workflows and enterprise help desks to gain a foothold or facilitate extortion activities.
## Tactics, Techniques & Procedures
- **Live Chat Exploitation:** The group utilizes live chat channels as a primary communication and attack vector to interact with targets.
- **Social Engineering:** Targeting BPO and help desk personnel implies a heavy reliance on social engineering to manipulate support staff.
- **Extortion:** The group leverages unauthorized access or stolen data for financial gain through extortion.
- **MITRE ATT&CK IDs (Inferred from TTPs):**
- Phishing: Spearphishing via Service ([T1566.003](https://attack.mitre.org/techniques/T1566/003/))
- Financial Theft/Extortion ([Description of intent])
## Targeting
- **Sectors:** Business Process Outsourcers (BPOs), Large Enterprises.
- **Geography:** Not explicitly specified, though the targeting of "high-value corporate entities" suggests a global reach with a focus on Western or multinational markets.
- **Victims:** Several dozen high-value organizations; specifically, third-party BPOs, in-house help desks, and customer support teams.
## Tools & Infrastructure
- **Malware:** Specific malware families were not named in the initial summary, though association with the "Raccoon" persona often implies the use of info-stealers or specialized social engineering kits.
- **Infrastructure:** Live chat platforms (third-party or proprietary support software used by targets).
## Implications
- **Strategic Assessment:** UNC6783 represents a shift toward targeting the "human-in-the-loop" via support channels. By targeting BPOs, the actor leverages the trust relationship between service providers and their high-value clients, potentially achieving a "one-to-many" impact for extortion.
- **Risk Level:** High, given the focus on critical customer-facing infrastructure that often lacks the stringent security controls applied to core network segments.
## Mitigations
- **Defense Recommendations:**
- **Live Chat Hardening:** Implement strict policies for support agents regarding the receipt of files or links via chat.
- **Identity Verification:** Enhance verification protocols for users contacting help desks to prevent social engineering-based account takeovers.
- **Third-Party Risk Management:** Organizations should audit the security protocols of their BPO partners to ensure help desk access is not being used as an entry point.
- **Employee Training:** Specialized training for support staff to recognize "persona-based" attacks or unusual extortion-related requests.