UNC6783 Threat Actor Compromises BPOs to Steal Zendesk Support Tickets Across Multiple Enterprises
What Happened — The UNC6783 group is targeting business‑process‑outsourcing (BPO) providers and, through phishing‑laden live‑chat sessions, hijacking spoofed Okta login pages, to steal Zendesk support tickets that contain personal data, employee records, and internal documents. The stolen data is then used for extortion via ProtonMail.
Why It Matters for TPRM —
- BPOs and SaaS help‑desk platforms are a hidden attack surface that can expose a client’s confidential information.
- Successful credential‑theft bypasses MFA, undermining assumed security controls.
- Extortion threats can force organizations into paying ransom or disclosing breach details, increasing reputational risk.
Who Is Affected — Companies across technology, finance, healthcare, and other sectors that rely on third‑party BPOs or Zendesk‑based support services.
Recommended Actions — Review all third‑party help‑desk contracts, enforce FIDO2 or hardware‑based MFA, monitor live‑chat traffic for anomalous URLs, block spoofed Zendesk domains, and audit MFA device enrollments regularly.
Technical Notes — Attack vector: phishing‑driven social engineering via live‑chat, clipboard‑stealing scripts to capture MFA tokens, and delivery of remote‑access malware (RAT). No specific CVE cited. Data types exfiltrated include support tickets, personal identifiers, employee records, and internal security disclosures. Source: BleepingComputer