Google Reports UNC6783 Hacker Group Stealing Corporate Zendesk Support Tickets
Google has identified the threat actor UNC6783 targeting business process outsourcing (BPO) providers to infiltrate high-value companies by stealing corporate Zendesk support tickets. This activity spans multiple sectors, highlighting a strategic approach to accessing confidential corporate communications through third-party service providers.
What happened
The UNC6783 group has been observed compromising BPO providers that manage customer support operations on behalf of large organizations. By gaining access to Zendesk accounts used for corporate support tickets, the threat actor can exfiltrate sensitive information contained within these communications. Such attacks leverage the third-party relationship between BPO providers and their clients to infiltrate the latter's internal processes and data.
Why it matters
This activity poses significant risk to organizations across sectors that rely on outsourced customer support, as sensitive information exchanged through support tickets could include internal business details, customer data, or operational insights. Attackers exploiting BPO access channels represent a persistent threat vector that complicates traditional perimeter defenses and increases the attack surface that security teams need to protect.
What security teams should do
Organizations using BPO support services should review access logs and assess permissions granted to third-party providers, ensuring appropriate segmentation and monitoring of Zendesk and other ticketing systems. Prompt collaboration with BPO partners to detect anomalous activity and to implement multi-factor authentication and least-privilege principles can reduce risk. Security teams should also track updates from vendors like Zendesk concerning security advisories or enhanced monitoring features.
Key technical details
UNC6783 targets Zendesk platforms accessed and managed by BPO providers, exploiting the trust relationships between these providers and their corporate clients. The threat actor can move laterally within the support environment to access and steal support tickets. Specific techniques used for compromise or exfiltration were not detailed in the source material, but the approach relies on BPO credential or session hijacking to penetrate corporate Zendesk environments.
Affected organizations/products
The compromise affects multiple sectors served by BPO providers who manage customer support via Zendesk systems. High-value companies across industries that outsource support operations through such providers could be at risk due to this campaign.
Source attribution
