Google’s Intelligence Threat Group (GITG) has been tracking various threat actor groups under tracking labels such as UNC 6040, UNC 6240, and UNC 3944. The first two overlap with threat actors known as ShinyHunters, while the third overlaps with Scattered Spider. The ShinyHunters group has been linked to attacks on customers of Salesforce.
Google itself became a victim in June, they reported yesterday. In an update on their blog post describing how ShinyHunters uses phishing or voice phishing (“vishing”) to dupe employees and the evolution of their attack methods, Google added an update last night:
Update (August 5): In June, one of Google’s corporate Salesforce instances was impacted by similar UNC6040 activity described in this post. Google responded to the activity, performed an impact analysis and began mitigations. The instance was used to store contact information and related notes for small and medium businesses. Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off. The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.
DataBreaches.net reports that the attack on Google was the work of ShinyHunters, or ShinyHunters with Scattered Spider, as the groups appear to be merging or collaborating more.
Read more at DataBreaches.net.
