15.09.2025
2 min
504
The FBI has issued an urgent warning with indicators of compromise (IoC) regarding two cybercriminal groups — UNC6040 and UNC6395, who have recently been massively hacking Salesforce through various access vectors, stealing data and moving on to extortion.
UNC6395. In August 2025, a large-scale campaign of data theft from Salesforce was recorded via compromised OAuth tokens of the Salesloft Drift integration. Salesloft confirmed that the root cause was the compromise of their GitHub account (March-June 2025). The company has isolated Drift infrastructure, temporarily disabled the chatbot, is rotating access, strengthening MFA and GitHub security, and is advising all customers to consider all Drift integrations and associated data as potentially compromised.
UNC6040. The group (active since at least October 2024) gains initial access through vishing (social engineering by phone), then massively extracts data from Salesforce using a modified Salesforce Data Loader and custom Python scripts, as well as API requests. The extortion stage often occurs months after the breach. Google attributes part of the pressure on victims to the UNC6240 cluster, which poses as ShinyHunters.
Movement in the criminal environment. Against the background of these attacks, statements appeared about the coordination of ShinyHunters, Scattered Spider and LAPSUS, and on September 12, 2025, they announced their “exit” on Telegram. Unit 42 experts warn that such “retirements” are usually temporary — groups split, rebrand and return, but the risks of stolen data and hidden backdoors remain.
The FBI has issued a flash alert on IoC to protect organizations using Salesforce. Salesloft, in response to the Drift incident, is implementing enhanced authentication and hardening of the environment; customers are advised to rotate secrets, temporarily disable some integrations, and review security settings. Typical techniques of adversaries: social engineering (vishing), theft or misuse of OAuth tokens, mass export via official tools and APIs, and further blackmail.
Even if individual brands of criminals “calm down”, the threat does not disappear. Organizations should act according to the principle of “compromise by default”: revoke and reissue OAuth tokens, inventory and disable unnecessary integrations, enable MFA and GitHub hardening, monitor Salesforce API logs for mass extractions, restrict access based on the principle of least privilege, and train personnel against vishing. Continuous monitoring of IoC by the FBI and providers is mandatory.
