A hacking group has been impersonating IT personnel to break into companies’ Salesforce tools, using the access for data theft and extortion, according to a new report from Google’s threat intelligence group.
The hackers, which have links to a loosely affiliated group of hackers largely based in the US, UK and Western Europe called the Com, successfully breached the networks of at least 20 companies in the US and Europe, Google said.
They operate by calling up employees and pretending to be IT support personnel, convincing them to provide sensitive credentials and using that to steal Salesforce data, Google said in the report published Wednesday. In some cases, the hacker was able to fool an employee into connecting a malicious app to their organization’s Salesforce portal, allowing the hacker to steal Salesforce data.
Some victims didn’t receive an extortion demand in exchange for the deletion of the data until months after it was stolen, according to the report. The hackers relied on manipulating its victims, not any vulnerability in Salesforce tools, Google said.
“There’s no indication the issue described stems from any vulnerability inherent to our services,” a Salesforce spokesperson said in an email. “Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
In a March blog post, the company noted that threat actors had been using social engineering techniques to break into its customers’ Salesforce accounts, and it provided guidance to protect against such attacks.
Google’s report comes as a string of retailers have been hacked in recent months. Marks & Spencer Group Plc is facing a £300 million ($406 million) hit to operating profit this year due to a ransomware attack in April. Fellow British grocer Co-op Group disclosed shortly afterward that it too was the victim of a cyberattack. Adidas AG and Victoria’s Secret & Co., Cartier and North Face have also disclosed cybersecurity incidents in recent weeks. Google’s report didn’t identify specific victims.
“While we’ve seen this group target retail, they have also targeted other industries and we do not have enough information to definitively link this group to the recent hacks in the US and UK more broadly,” said Austin Larsen, principal threat analyst at Google Threat Analyst Group.
The hacking group used infrastructure and methods previously used by members of the Com, Google said. Members of the hacking group Scattered Spider, which was accused of a raft of high-profile attacks in recent years, many of which involved impersonating IT staff, have also been linked to the Com, made up mostly of young male SIM-swappers who organized on social media channels to steal cryptocurrency by taking control of victims’ phone numbers.
Google urged companies to remain vigilant against so-called social engineering attacks.