Google warns of cyberattack targeting BPOs to steal corporate data
ILLINOIS, UNITED STATES — Google’s Threat Intelligence Group has issued a warning that a financially motivated hacking group is targeting business process outsourcing (BPO) firms to breach the high-value corporations they serve, exposing a fast-growing weak point in the global enterprise supply chain.
According to a report from SecurityWeek, the group, tracked as UNC6783, has already been linked to the recent theft of Adobe data from a BPO supplier, signaling that outsourcing vendors have become a primary entry route for attackers seeking access to top-tier clients.
The warning lands as enterprise reliance on third-party providers continues to climb, putting pressure on BPO firms to harden their defenses against social engineering, phishing and credential theft.
How UNC6783 is breaching BPO defenses
GTIG says UNC6783 has run social engineering and phishing campaigns against dozens of high-value corporate entities across multiple industries, with BPOs serving as the preferred point of entry.
The group lures employees to spoofed Okta login pages through live chats, deploys a phishing kit that steals clipboard contents to bypass multi-factor authentication, and creates fake Zendesk support pages posing as the targeted organization’s domain.
Once inside, attackers enroll their own devices on compromised accounts to maintain persistent access.
“The actor primarily focuses on compromising Business Process Outsourcers (BPOs) that work with these targeted companies. We have also seen them target the support and help desk staff of these organizations directly to gain trusted access and steal sensitive data for extortion operations,” said Austin Larsen, GTIG principal threat analyst.
The group’s playbook also includes fake security software updates that deliver remote access malware, followed by ransom notes sent through Proton Mail accounts.
The Adobe breach and the Mr. Raccoon connection
GTIG’s findings suggest UNC6783 is the same actor as “Mr. Raccoon,” who claimed responsibility for stealing a large volume of Adobe data from a BPO firm in India.
According to the hacker’s claims, the breach exposed personal information for 15,000 employees, millions of support tickets and bug bounty submissions — a haul that underscores how deeply outsourcing vendors are embedded in client systems.
The attack reportedly began with a phishing email targeting a support agent at the BPO, who was tricked into executing a remote access trojan that handed full control of the computer to the attacker.
The hacker then phished a manager using the agent’s email, obtained credentials for the support platform and exported the entire Adobe database in a single request.
The campaign highlights a structural vulnerability now reshaping risk calculations across the outsourcing sector — vendor access has become equivalent to enterprise access, and the industry’s growing role in handling sensitive corporate data is making BPO firms a top target for financially motivated threat actors worldwide.
