UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign

A sophisticated cybercriminal group, identified as UNC3753, conducted a data theft and extortion campaign against dozens of U.S. organizations between January and May 2026, as detailed by Google Mandiant and Google Threat Intelligence Group (GTIG). This operation distinguished itself by employing a dual approach, combining "vishing" (voice phishing) with physical intrusions to compromise targets in the professional, legal, and financial services sectors. The group's tactics involved leveraging social engineering through phone calls to gather initial intelligence and manipulate employees, often followed by physical access to gain deeper network penetration. This hybrid methodology allowed UNC3753 to exfiltrate sensitive data, which was then used as leverage for extortion demands. The researchers noted that UNC3753's operational security was notably high, making attribution and disruption challenging. The group demonstrated a clear understanding of target environments, tailoring their attacks to exploit specific vulnerabilities within these industries. The campaign's success underscores the evolving threat landscape where cybercriminals are increasingly blending digital and physical infiltration techniques to achieve their objectives. The financial services sector, in particular, remains a prime target due to the high value of the data it holds. The findings highlight the critical need for organizations to bolster both their digital defenses and physical security protocols, as well as to enhance employee training on social engineering tactics. The prolonged duration of the campaign and the breadth of its targets suggest a well-resourced and persistent threat actor capable of significant disruption. The specific details of the data stolen and the exact extortion amounts have not been publicly disclosed, but the nature of the targeted industries implies the potential for severe financial and reputational damage to the victim organizations. The ongoing analysis by Mandiant and GTIG aims to further understand UNC3753's infrastructure, motivations, and potential future activities.