A threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors.

According to the Google Threat Intelligence Group, dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion.

Austin Larsen, GTIG principal threat analyst, says that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies.

However, there have been instances where the hackers have also contacted support and helpdesk staff within targeted organizations, in an attempt to obtain direct access.

The researchers say that UNC6783 may be linked to Raccoon, a persona known to have targeted multiple BPOs that provide services to large companies.

In social engineering attacks over live chat, the threat actor directs support employees to spoofed Okta login pages hosted on domains that impersonate those of the target company and follow the pattern <org>[.]zendesk-support<##>[.]com.

Larsen says that the phishing kit deployed in these attacks can steal clipboard contents to bypass multi-factor authentication (MFA) protection, enabling the attacker to register their device with the organization.

Google has also observed attacks where UNC6783 distributed fake security updates to deliver remote access malware.

After stealing sensitive data, the threat actor proceeds to extort victims, contacting them via ProtonMail addresses with payment demands.

While GTIG did not offer more information about Raccoon, threat intelligence account International Cyber Digest recently disclosed that someone using the alias “Mr. Raccoon” claimed a breach at Adobe, which the company has yet to confirm.

The attacker claimed to have gained access to Adobe data after compromising an India-based BPO working for the company. They deployed a remote access trojan (RAT) on an employee’s computer and subsequently targeted the employee’s manager in a phishing attack.

Mr. Raccoon said that they stole 13 million support tickets containing personal data, employee records, HackerOne submissions, and internal documents.

In conversations with BleepingComputer, the threat actor behind the CrunchyRoll breach confirmed that they were also behind the Adobe attack, but did not provide any evidence.

Google’s Mandiant listed several defense recommendations against UNC6783 attacks, including deploying FIDO2 security keys for MFA, monitoring live chat for abuse, blocking spoofed domains that match Zendesk patterns, and regularly auditing MFA device enrollments.