Cybersecurity Alert: FBI Warns of Two Active Cybercriminal Groups Targeting Salesforce
The FBI has recently issued a flash alert regarding two cybercriminal organizations identified as UNC6040 and UNC6395, which are involved in a series of data theft and extortion attacks. This advisory highlights crucial threats against organizations utilizing Salesforce platforms, emphasizing the urgent need for enhanced cybersecurity measures.
UNC6395: Exploiting OAuth Tokens for Data Theft
One notable player in this cybercrime landscape is UNC6395. This group is under scrutiny for a significant data theft operation that took place in August 2025, where they targeted Salesforce instances. The mechanism of their attack exploited compromised OAuth tokens associated with the Salesloft Drift application.
Salesloft revealed that the security breach at their GitHub account, occurring between March and June 2025, was a key factor enabling UNC6395’s successful operation. In response to the breach, Salesloft has taken proactive steps to safeguard its infrastructure. The company has isolated the Drift platform and temporarily shut down the AI chatbot application. Moreover, they are implementing new security protocols, including multi-factor authentication and enhancements to their GitHub security configurations.
Salesloft is advising all Drift users to consider their data and integrations as potentially compromised, underlining the severity of the breach.
UNC6040: Phishing and Data Exfiltration
Another group highlighted in the FBI’s alert is UNC6040. Identified as a financially motivated entity, this group has been active since October 2024. They have been linked to vishing campaigns—voice phishing tactics aimed at gaining initial access to target networks and subsequently hijacking Salesforce instances for large-scale data theft.
In their attacks, UNC6040 has employed a modified version of Salesforce’s Data Loader application, alongside custom Python scripts. These tools allow them to breach Salesforce portals and exfiltrate invaluable data from their victims. Notably, some of these intrusions have spiraled into extortion efforts, taking place well after the initial data theft.
The FBI reported that UNC6040 has utilized phishing panels, which coax victims into accessing malicious links during social engineering calls made from their mobile devices or workplace computers. Once access is granted, the perpetrators execute API queries to extract substantial volumes of data in bulk.
Connection to ShinyHunters and Escalated Tactics
The extortion activities linked to UNC6040 are believed to be connected with a separate, yet related, cybercriminal cluster referred to as UNC6240. This group has consistently identified itself with the "ShinyHunters" name in communications directed at employees of victim organizations. In a recent communication, Google indicated that the ShinyHunters collective might soon escalate their tactics by launching a data leak site aimed at intensifying pressure on victims, particularly following the recent Salesforce-related breaches associated with UNC6040.
Recent Developments and Uncertain Future
In recent weeks, there have been significant developments, including an unexpected alliance between ShinyHunters, Scattered Spider, and LAPSUS$. This collaboration aims to consolidate their criminal activities. However, as of September 12, 2025, this newly formed group, identified as "scattered LAPSUS$ hunters 4.0," announced on their Telegram channel that they would be "going dark."
The reason behind this unexpected withdrawal from public operations remains murky. Some experts speculate that it could be a strategy to avoid increased scrutiny from law enforcement. According to Sam Rubin, a senior vice president at Unit 42 Consulting and Threat Intelligence, this declaration does not typically signify a genuine retirement from cybercrime.
While there may be a temporary lull in their activities, history suggests that such groups often re-emerge, adapt, and continue their operations under new aliases. Organizations are thus urged to maintain vigilance. The possibility remains that stolen data may resurface, and hidden backdoors could persist, allowing these criminal actors to return at any moment.
Vigilance is Key
As the situation unfolds, businesses employing Salesforce and similar platforms need to be on high alert. Being proactive about security measures—such as updating security practices and educating staff on recognizing phishing attempts—can greatly reduce the risk of falling victim to these sophisticated cybercriminals. Organizations must operate under the premise that while the current threats have paused, they have not vanished, and readiness is essential in the face of evolving cyber threats.
