A financially driven hacker group known as UNC6040 has been orchestrating a months-long cyberattack campaign targeting Salesforce users, according to a recent report by Google’s Threat Intelligence Group (GTIG). The attackers have used voice phishing data , impersonating IT personnel to deceive employees at primarily English-speaking divisions of multinational corporations.
Once trust is established, the attackers guide their targets to visit Salesforce-connected application setup pages. Here, they deploy an unauthorized, malicious version of the Salesforce Data Loader, a legitimate tool used for importing and exporting Salesforce data. This manipulated version enables hackers to infiltrate Salesforce environments and steal sensitive corporate data.
Google’s findings reveal that these intrusions are not isolated to data theft alone. After gaining initial access, the attackers often pivot to explore the victim’s wider digital infrastructure, including internal networks and other connected cloud services, magnifying the threat.
Salesforce Responds to Threat with Security Recommendations
Salesforce, acknowledging the issue in a March blog post, clarified that the attacks are not due to any vulnerability within the Salesforce platform itself. A company spokesperson emphasized that the campaign hinges on exploiting human error rather than technical flaws. “Voice Phishing Data scams are targeted social engineering attacks that capitalize on lapses in individual cybersecurity practices,” the spokesperson explained.
In response to the threat, Salesforce has urged its customers to adopt stronger security measures. These include enabling multifactor authentication (MFA), minimizing access privileges to only essential users, and restricting access based on IP address controls. These steps aim to reduce the likelihood of attackers gaining unauthorized entry, especially through deceptive social engineering techniques.
While the exact reason why Salesforce was specifically targeted remains unclear, Google investigators believe that the hackers gained expertise with the platform through prior experience or research, not insider access. The group’s operations showed varying degrees of sophistication, indicating differing skill levels within the team.
Extortion Attempts and Links to Broader Cybercrime Networks
Beyond data theft, UNC6040 has initiated extortion attempts, sometimes waiting months after the initial breach to demand ransoms. This prolonged strategy points to calculated planning and suggests coordination with other malicious actors. In several cases, victims reported that the extortion messages claimed affiliation with the notorious ShinyHunters cybercrime group, indicating possible partnerships or rebranding efforts.
Google analyst Austin Larsen noted some overlap between UNC6040 and “The Com,” a broader underground cybercriminal collective linked to the infamous Scattered Spider group. However, he clarified that UNC6040 remains a distinct entity, separate from UNC3944, the threat actor typically associated with Scattered Spider.
The campaign illustrates a broader trend in cybercrime, Voice Phishing Data is increasingly being adopted as a favored method for launching highly targeted attacks. As organizations continue to rely on cloud-based tools like Salesforce, this incident underscores the growing importance of rigorous user training and advanced security practices to defend against evolving threats.
