(TLP:CLEAR) FBI Flash: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
Created: Thursday, September 18, 2025 - 15:01
Categories: Cybersecurity, Federal & State Resources, Security Preparedness
Summary: The FBI has recently released a FLASH report to draw awareness and disseminate indicators of compromise (IOCs) associated with recent malicious cyber activities by cyber criminal groups UNC6040 and UNC6395, responsible for a rising number of data theft and extortion intrusions. Both groups have recently been observed targeting organizations’ Salesforce platforms via different initial access mechanisms.
Analyst Note: These financially motivated groups are primarily targeting Salesforce users with voice phishing (vishing) attacks, tricking employees into connecting malicious apps to their company accounts. The groups claiming responsibility for these attacks state that they are part of the ShinyHunters, Scattered Spider, and Lapsus$ extortion groups, and are now calling themselves “Scattered Lapsus$ Hunters.” ShinyHunters has recently claimed to have stolen 1.5 billion Salesforce records. These groups are tracked as UNC6040 and UNC6395 by Google.
Original Source: https://www.ic3.gov/CSA/2025/250912.pdf
Additional Reading:
- FBI warns of Salesforce attacks by UNC6040 and UNC6395 groups
- ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks
- The Cost of a Call: From Voice Phishing to Data Extortion
Related WaterISAC PIRs: 6, 10, 12