UNC6783 Cyber Attacks: How Hackers Exploit Zendesk, Okta, and BPO Providers to Steal Corporate Data
A newly identified threat group known as UNC6783 has emerged as a significant cybersecurity risk, targeting business process outsourcing (BPO) providers to gain unauthorized access to sensitive corporate data. According to findings from Google’s threat intelligence teams, this group has successfully infiltrated multiple organizations across industries by exploiting weaknesses in customer support platforms such as Zendesk.
How UNC6783 Operates
UNC6783 employs a multi-layered attack strategy combining social engineering, phishing, and malware deployment. Their primary target is BPO providers, which often handle sensitive customer data for high-value enterprises, making them an attractive entry point.
- Step 1: Target BPO employees with phishing emails
- Step 2: Redirect victims to spoofed Okta login pages
- Step 3: Capture credentials and bypass MFA
- Step 4: Gain access to Zendesk support tickets
- Step 5: Exfiltrate sensitive data and initiate extortion
Advanced Phishing Techniques
One of the most alarming aspects of UNC6783’s operations is their use of highly sophisticated phishing kits. These kits are designed to mimic legitimate Okta authentication pages hosted on domains that resemble Zendesk environments.
The attackers also deploy clipboard-stealing malware that captures one-time passwords (OTPs), effectively bypassing multi-factor authentication (MFA). This technique significantly increases the success rate of account compromise.
Remote Access Trojans and Persistence
After gaining initial access, UNC6783 delivers Remote Access Trojans (RATs) disguised as fake security updates. These payloads allow attackers to:
- Maintain persistent access to compromised systems
- Monitor internal communications
- Extract additional credentials and sensitive data
Reports indicate that over 60% of targeted attacks involved some form of malware persistence mechanism, highlighting the group's technical sophistication.
Targeting Zendesk Support Systems
Zendesk platforms are particularly valuable targets because they store customer interactions, internal notes, and sometimes confidential attachments. By accessing these systems, attackers can:
- Harvest personally identifiable information (PII)
- Access corporate secrets and internal workflows
- Identify high-value targets for further attacks
Extortion and Monetization
Once data is exfiltrated, UNC6783 initiates extortion campaigns. Victims are contacted via anonymous email services such as ProtonMail, demanding payment in exchange for not releasing stolen data.
Industry reports suggest that ransomware and extortion-related damages exceeded $20 billion globally in 2024, and groups like UNC6783 are contributing significantly to this trend.
Why BPO Providers Are Prime Targets
BPO providers serve as intermediaries for multiple organizations, often with elevated access privileges. A single compromised BPO can expose data from dozens of companies across sectors such as finance, healthcare, and technology.
- Centralized access to multiple clients
- High volume of sensitive data
- Often weaker security controls compared to enterprises
Mitigation Strategies
Organizations can reduce risk by implementing the following security measures:
- Enforce phishing-resistant MFA (e.g., hardware keys)
- Monitor for suspicious login patterns and domain spoofing
- Conduct regular security awareness training
- Restrict access to support platforms like Zendesk
- Deploy endpoint detection and response (EDR) tools
NeuraCyb's Assessment
The emergence of UNC6783 highlights the evolving threat landscape, where attackers exploit interconnected business ecosystems rather than targeting organizations directly. As cybercriminals continue to refine their tactics, companies must adopt a proactive and layered security approach to safeguard their data and operations.
Reference Links and Sources
