UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign

Summary

Google Threat Intelligence Group (GTIG) has identified UNC6783, a hacker group possibly linked to an individual named Raccoon, targeting large enterprises through Business Process Outsourcer (BPO) compromises. The group uses phishing kits with fake Okta login pages, social engineering via live chat, and clipboard data theft to enroll malicious devices for persistent access. After stealing data, they send ransom demands via Proton Mail.

Full text

Security Cyber Attacks Scams and FraudUNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign UNC6783 hackers and extortionists impersonate support staff, using fake Okta login pages and social engineering to access corporate systems and steal sensitive data. byDeeba AhmedApril 10, 20263 minute read Cybersecurity experts at Google Threat Intelligence Group (GTIG) have issued a warning about a new group of hackers, known as UNC6783, who are trying to steal data from large companies for data theft extortion. Austin Larsen, a lead analyst at GTIG, reports that this group might be linked to an individual using the name Raccoon. The hackers have so far targeted dozens of high-value organisations across various industries by compromising the security of Business Process Outsourcers (BPOs). These are third-party service providers responsible for handling tasks such as customer service and technical support for larger corporations. By targeting these partner firms, hackers can gain access to the main systems of the companies they really want to target for data theft. How the hackers trick the staff According to Larsen, the group uses a special phishing kit to bypass standard security. The attack kicks off with social engineering, where hackers use live chat windows to talk to employees. They pretend to be helpful but actually send links to fake login pages that look like the real Okta service used by many offices. These fake websites use addresses like <org>zendesk-support<##>com to look official. Once an employee tries to log in, the hackers steal information from the person’s computer clipboard. This allows the attackers to add their own phones or laptops to the company’s security list. This is called enrolling a device for persistent access, which means they can get back into the system whenever they want. Fake updates and ransom notes GTIG’s research reveals that the hackers use several different methods to trick employees. They sometimes send messages about fake security software updates, containing the malware installer. If the employee downloads the update, a Remote Access Trojan (RAT) gets installed instead, which lets the hackers remotely control the computer. After they take the files they want, they send ransom notes using Proton Mail. For staying safe, Mandiant and Google recommend that organisations start using physical security keys, like Titan Security Keys, instead of just text message codes. These use a standard called FIDO2, which is much harder for hackers to crack. Also, they must monitor live chat logs and block suspicious web links that follow the Zendesk pattern. Regularly checking which devices are allowed to log in is another good practice to prevent these hackers from invading the system. Industry experts’ perspectives Industry experts shared their thoughts on these findings with Hackread.com. John Watters, CEO at iCOUNTER, believes this represents a major change in how hackers work. Watters stated: “What’s emerging with UNC6783 and the Raccoon persona is not just another social engineering campaign; it’s a deliberate strategy to enter through the ecosystem instead of attacking the enterprise head-on.” He explained that by targeting live support channels, hackers are exploiting the trust between companies and their partners. Watters added: “Raccoon isn’t attacking companies, it’s attacking the relationships companies rely on to operate. If you’re not defending your ecosystem, you’re leaving the front door open through someone else’s system.” Mika Aalto, Co-Founder and CEO at Hoxhunt, says that these attackers are using psychological tricks to beat strong security. “Attackers don’t need to hack through security systems when they can persuade people to open the door,” Aalto stated, suggesting that targeting helpdesk teams is very effective because they handle sensitive requests every day. To stay safe, he recommends training employees with realistic simulations so they can spot suspicious chats and report them as soon as they happen. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Austin LarsenBPOCyber AttackCyber CrimeCybersecurityExtortionGoogleOktaScamUNC6783 Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Attacks Cyber Crime Security FBI warns of ransomware attacks against Food and Agriculture sectors According to the agency, the impact of these ransomware attacks can be devastating for both small to big businesses. byDeeba Ahmed News Malware Security Technology BHUNT password stealer targets crypto wallets through cracked software BHUNT is being regarded as an evasive crypto wallet stealer, just like previously identified Redline Stealer and CryptBot.… byDeeba Ahmed Security Cyber Attacks Hacking News Saudi-Iran: Proxy Wars Escalate To Direct Cyber Attacks The never ending cyber war between Iran and Saudi Arabia has reached a new height – Same goes… bySalek Ahmed Cyber Attacks Malware Security Microsoft, FireEye report 3 new malware linked to SolarWinds hackers Microsoft and FireEye have identified 3 new malware used by SolarWinds hackers in their last year's attack on critical cyberinfrastructure in the US. byDeeba Ahmed

Indicators of Compromise

• malware — Remote Access Trojan (RAT)

Entities