The new intrusion route: UNC6783 commits suppliers and extorts large companies

A disturbing pattern has emerged in recent months: cybercrime groups are taking advantage of the relationship of trust between companies and external service providers to open doors to high-value companies. According to the analysis of Google's threat intelligence teams, a track actor such as UNC6783 has been compromising business process outsourcing providers (BPO) to then pounce to their customers and extract sensitive information they then use to demand rescue.

What makes this tactic especially dangerous is its apparent simplicity and its effectiveness. Instead of trying to directly violate a large corporation, attackers focus their efforts on companies that already have legitimate access to internal data, tools or systems. By attacking the external link - the BPO - reduce the attack surface and increase the probability of success by exploiting trust relationships and support channels. Google and other response teams have documented campaigns in which dozens of corporate entities have been affected by this method.

The vectors used by UNC6783 are mostly social engineering: targeted phishing campaigns and attacks on live chat support agents. In these incidents, attackers lead helpdesk employees to forged login pages that mimic identity services or support panels, often using domains designed to appear legitimate. The goal is not only to steal credentials, but also to remove barriers such as multifactor authentication (MFA). According to the analysis shared by Austin Larsen, a leading analyst of Google's intelligence group, some phishing kits deployed in these campaigns are even able to capture clipboard content to mock additional security factors and record devices as if they were reliable.

In addition to the abuse of live chat and fraudulent login pages, more direct attempts have been observed: the distribution of alleged security updates that actually install remote access malware, or the supplanting of employees to gain privileges within critical systems. These methods allow attackers to move laterally, collect data and finally prepare a extortion operation. In many cases, cybercriminals have contacted the victims through encrypted and anonymous mail accounts - for example, services such as ProtonMail - to request payments in exchange for not publishing the information taken away.

Researchers have also pointed to the possible connection between UNC6783 and an identity known as "Raccoon." Reports and network publications have attributed to this individual or group claims of gaps against large companies, claiming access after committing an BPO. Some of these claims have not yet been fully verified by the companies involved, but they illustrate a recurring pattern: the commitment of external suppliers followed by leaks or payment demands.

In view of this scenario, the defence recommendations combine technical and operational measures. Technically, the adoption of truly phishing-resistant authentication mechanisms, such as FIDO2-based security keys, drastically reduces the ability of these kits to falsify access. Google and incident response teams also highlight the importance of monitoring and protecting live support channels, because they are vectors that allow an attacker to manipulate human interactions in real time. Another essential practice is to block domains that mimic legitimate patterns of support providers - for example, variations that pass through care platform subdomains - and to regularly audit the records of devices registered in MFA to detect fraudulent registrations.

These recommendations are not theory: adopting stricter controls and working in a coordinated manner with suppliers can make the difference between a contained incident and a mass filtration. Security can no longer be limited to the borders of the corporate environment; it must be extended to the supply chain with contracts, technical assessments and response simulations including BPO.

For further analysis and public observations on these campaigns, the reports and communiqués of Google's intelligence teams provide a starting point for understanding tactics and artifacts used. You can consult the Google Threat Analysis Group publication repository for research and recommendations: https: / / blog.google / menat-analysis-group /. For journalistic context and coverage of incidents attributed to these actors and public demands for gaps, specialized media such as BleepingComputer have followed the evolution of cases: BleepingComputer - coverage for UNC6783. Allegations have also been made public on social media for accounts that follow open intelligence, such as this X-post that detailed alleged claims from "Mr. Raccoon": https: / / x.com / IntCyberDigest / status / 2039774692085526854, and technical statements shared by analysts in LinkedIn: published by Austin Larsen. For references to phishing-resistant authentication mechanisms, the FIDO alliance maintains resources and guides: https: / / fidoalliance.org /.

In short, the case of UNC6783 is a reminder that security is a shared ecosystem. Protecting the organization today involves working closely with partners that handle critical data and services, combining solid technical controls with human awareness, and continuously reviewing access configurations. Those companies that start incorporating these practices will be better positioned to stop extortion campaigns before they climb.