Beware the UNC6040 smartphone threat.
Update, June 6, 2025: This story, originally published on June 5, has been updated with additional information from the Google Threat Intelligence Group report, which potentially links UNC640 to an infamous cybercrime collective known as The Com.
Google’s Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers “abuse end-user trust,” a Google spokesperson said, adding that the UNC6040 campaign “began months ago and remains active.” Here’s what you need to know and do. TL;DR: Don’t answer that call, and if you do, don’t act upon it.
Google’s Threat Intelligence Group Issues UNC6040 Smartphone Attack Warning
If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it’s an Android or iPhone — then you really haven’t been paying attention. It’s this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the “vishing” threat to evolve and become ever-increasingly more dangerous.
If you won’t listen to me, perhaps you’ll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it’s been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. “UNC6040’s operators impersonate IT support via phone,” the GTIG report stated, “tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.” The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers.
Google’s threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn’t start for some months following the initial intrusion itself.
Google Links UNC640 To The Com
The Google Threat Intelligence Group report has linked the activity of the UNC640 attack group, specifically through shared infrastructure characteristics, with a cybercrime collective known as The Com.
The highly respected investigative cybersecurity journalist, Brian Krebs, has described The Com as being a “distributed cybercriminal social network that facilitates instant collaboration.” This social network exists within Telegram and Discord servers that are home to any number of financially motivated cybercrime actors. Although it is generally agreed that The Com is something of a boasting platform, where criminal hackers go to boost their exploit kudos while also devaluing the cybercrime activities of others, its own value as a resource for threat actors looking to find collaborative opportunities with like-minded individuals should not be underestimated.
“We’ve also observed overlapping tactics, techniques, and procedures,” Google’s TIG researchers said with regard to The Com and UNC6040, “including social engineering via IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational companies.” However, the GTIG report admits that it is also quite possible these overlaps are simply a matter of associated threat actors who all boast within the same online criminal communities, rather than being evidence of “a direct operational relationship” between them.
Google’s UNC6040 Attack Mitigation Recommendations
To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps:
- Adhere to the Principle of Least Privilege.
- Manage access to connected applications rigorously.
- Enforce IP-based access restrictions.
- Leverage advanced security monitoring and policy enforcement with Salesforce Shield.
- Enforce multi-factor authentication everywhere.
And, of course, as Google has advised in previous scam warnings, don’t answer those phone calls from unknown sources. If you do, and it’s someone claiming to be an IT support person, hang up and use the established methods within your organization to contact them for verification.
Read the full article here