Google's Threat Intelligence Group has identified a cybercriminal group called UNC6040 that successfully tricked employees at approximately 20 organizations into installing a modified version of Salesforce's Data Loader — a tool that allows exporting and updating large volumes of data. The group specializes in voice phishing campaigns targeting Salesforce instances for large-scale data theft and extortion. The attacks began earlier this year and have targeted the hospitality, retail, education, and other sectors across the Americas and Europe.
The criminals demonstrate a high degree of skill in impersonating IT support staff, convincing employees at subsidiaries of multinational companies to download the modified version of Data Loader. While their tactics bear similarities to those used by the Scattered Spider group, UNC6040 is considered a distinct organization, despite some overlaps with the underground community known as The Com.
During social engineering calls, the criminals impersonate IT support and persuade victims to open the Salesforce connection settings page — a feature that allows third-party applications to integrate with Salesforce and share data. The page requires an eight-digit connection code to link external applications, which UNC6040 provides over the phone, effectively connecting their attacker-controlled Data Loader to the victim's Salesforce environment. The group's infrastructure also hosts an Okta phishing panel used to trick victims through their mobile phones or work computers.
Following the initial Salesforce data extraction, UNC6040 sometimes performs lateral movement through the network, accessing and exfiltrating data from other platforms including Okta, Workplace, and Microsoft 365. In some cases, extortion occurs several months after the initial intrusion, suggesting a possible partnership with other criminal actors to monetize access to the stolen data. Salesforce published guidance in March on how customers can protect their environments against these types of attacks involving fraudulent IT support calls.
This post was translated and summarized from its original version with the use of AI, with human review.
With information from The Register