Lawrence Abrams reports:
In June, Google warned that a threat actor they classify as ‘UNC6040′ is targeting companies’ employees in voice phishing (vishing) social engineering attacks to breach Salesforce instances and download customer data. This data is then used to extort companies into paying a ransom to prevent the data from being leaked.
In a brief update to the article last night, Google said that it too fell victim to the same attack in June after one of its Salesforce CRM instances was breached and customer data was stolen.
“In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations,” reads Google’s update.
“The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off.”
Read more at BleepingComputer.
The August 5 update to Google’s blog about UNC6040 reads:
Update (August 5): In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.
This is GITG’s second recent update to their post on UNC6040. A previous update added a new tracker: UNC 6240:
Google Threat Intelligence Group (GTIG) tracks the extortion activities following UNC6040 intrusions, sometimes several months after the initial data theft, as UNC6240. The extortion involves calls or emails to employees of the victim organization demanding payment in bitcoin within 72 hours. During these communications, UNC6240 has consistently claimed to be the threat group ShinyHunters.
In addition, we believe threat actors using the ‘ShinyHunters’ brand may be preparing to escalate their extortion tactics by launching a data leak site (DLS). These new tactics are likely intended to increase pressure on victims, including those associated with the recent UNC6040 Salesforce-related data breaches. We continue to monitor this actor and will provide updates as appropriate.
ShinyHunters Claimed Involvement in Google’s Breach
DataBreaches first heard about the Salesforce-related attack on Google on August 3, when ShinyHunters casually mentioned in a chat that “Someone from Scattered Spider emailed Google Mandiant about 12 hours ago from my email and borderline threatened them.”
In response to questions from DataBreaches, ShinyHunters went on to state that “Google suffered their first ever massive databreach” and it was related to Salesforce. ShinyHunters also said that they planned to extort them. It was not, however, ShinyHunters’ plan to tip Google off now about the future plan, and he thought the email had probably been sent by kids who thought it would be okay to do this.
This appears to be a third time in past months where people involved with ShinyHunters had not complied or adhered to ShinyHunters’ plan for an incident.
According to ShinyHunters, as of Sunday, Google had not discovered the breach. Google’s update does not state exactly when they first discovered the breach, but it seems that they detected it and responded to it in June, and that ShinyHunters may have been in error if they thought it had not been discovered.
But DataBreaches suspects that the August 3 email may be responsible for Google posting that update now so that they can control the narrative before ShinyHunters tries to characterize it differently or reveal it publicly.
DataBreaches emailed Google to ask them to confirm when they first discovered the breach, and if they will confirm that ShinyHunters emailed them on Sunday, and whether that influenced their decision to post an update last night. Google’s press office promptly responded, not answering any of my questions and simply pointing me to the August 5 update and recent UNC6240 update, neither of which answers the questions I posed. It’s disappointing that Google isn’t being more transparent on this.
This post will be updated if more information becomes available.
A quote from ShinyHunters was corrected post-publication. ShinyHunters also responded to Google’s speculation that they will be opening a data leak site. “That’s false, we are not creating a DLS for this,” ShinyHunters responded.