The notorious cyber gang UNC3944, which is suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, among other things, has modified its methods and is now targeting SaaS apps.
According to Google Cloud’s Mandiant threat intelligence team, UNC3944’s operations coincide significantly with those of the assault groups known as “0ktapus,” “Octo Tempest,” “Scatter Swine,” and “Scattered Spider.” The group’s operations began with credential harvesting and SIM swapping attacks, progressed to ransomware and data theft extortion, and has now transitioned to “primarily data theft extortion, without the use of ransomware.”
Mandiant claimed to have heard recordings of UNC3944’s calls to corporate help desks, in which it attempted social engineering attacks.
“The threat actors spoke with clear English and targeted accounts with high privilege potential,” Mandiant’s researchers noted last week. In some cases, callers already possessed victims’ personally identifiable information – allowing the attackers to bypass identity verification checks.