Google Mandiant Exposes UNC3753 Vishing Scheme Targeting U.S. Businesses

Google Mandiant has linked a threat actor known as UNC3753 to a campaign that combined phone-based social engineering with physical intrusions to steal data from U.S. organisations and extort victims. The Google Threat Intelligence Group published findings this week detailing how the group used vishing calls to trick employees into providing access credentials, then followed up with operatives who physically entered offices to install harvesting tools. The campaign targeted at least multiple companies across the United States, according to the report.

Vishing Tactics Deployed Against Corporate Staff

Vishing, a portmanteau of voice and phishing, involves attackers calling employees while pretending to be trusted contacts. In this campaign, UNC3753 callers claimed to represent IT support or security teams. They convinced staff to reset passwords or install remote access software, granting the threat actors entry into corporate networks. Mandiant analysts noted the callers used convincing scripts and caller ID spoofing to increase their success rate.

The group did not stop at digital intrusion. According to Google Mandiant, operatives subsequently visited physical office locations in several U.S. cities. Posing as delivery personnel or maintenance staff, they accessed restricted areas and connected rogue devices directly to company networks. This physical step allowed the attackers to bypass multi-factor authentication in some cases.

Data Theft Followed by Extortion Demands

Once inside the networks, UNC3753 exfiltrated sensitive data including customer records, financial documents, and intellectual property. The group then sent ransom demands to executive leadership, threatening to publish stolen information or sell it to competitors unless payments were made in cryptocurrency. Mandiant confirmed at least one victim organisation paid the demands, though the amount was not disclosed.

The dual approach proved particularly effective because many corporate security programmes focus exclusively on digital threats. Physical security teams and IT departments often operate separately, leaving a gap that UNC3753 exploited systematically. The Google Threat Intelligence Group stated the campaign demonstrated a level of operational coordination rarely seen outside state-sponsored actors.

Why Businesses Should Treat This as a Board-Level Issue

The financial implications extend beyond the immediate ransom payments. Organisations that suffer data breaches face regulatory fines, litigation costs, and reputational damage that can affect stock valuations. For publicly traded companies, a successful attack of this nature can trigger shareholder lawsuits and Securities and Exchange Commission disclosure requirements. Investors should note that cybersecurity posture now represents a material factor in evaluating corporate risk.

Insurance carriers have already begun tightening coverage terms for cyber policies. Carriers are demanding evidence of employee training programmes, physical access controls, and incident response plans before issuing policies. The UNC3753 campaign will likely accelerate this trend, making robust defences a prerequisite for obtaining affordable coverage.

How the Attack Succeeded Against Security Teams

Mandiant's analysis revealed several factors that allowed UNC3753 to succeed. First, the vishing calls occurred during business hours and referenced real employee names obtained from LinkedIn or corporate directories. Second, the physical operatives carried forged identity badges and wore clothing matching standard delivery uniforms. Third, the group timed its intrusions to coincide with office moves or renovations when physical security protocols were typically relaxed.

The attackers also demonstrated patience. In one case, Mandiant documented a six-week period between the initial vishing call and the physical intrusion, allowing time for trust to develop between the operatives and unsuspecting staff members. This extended timeline suggests the group conducted significant reconnaissance before launching its operations.

Recommendations for Corporate Security Programmes

Security experts at Mandiant urged organisations to implement several countermeasures immediately. Multi-person authorisation requirements for password resets and account changes can prevent a single deceptive call from compromising critical systems. Physical security teams should verify the identity of anyone claiming to be maintenance or delivery staff, including checking credentials against a central registry rather than relying on visual inspection alone.

Employee training must cover vishing techniques specifically, not just email-based phishing. Regular testing through simulated calls can help staff recognise the tactics UNC3753 employed. Network segmentation remains essential so that even if initial access is obtained, attackers cannot reach sensitive data stores without additional authentication steps.

What Comes Next

Google Mandiant continues to track UNC3753 and expects the group to refine its methods based on this campaign's success. The Google Threat Intelligence Group has shared indicators of compromise with law enforcement agencies and expects formal indictments may follow. Corporate security teams should review access logs for any suspicious calls or physical access events matching the documented patterns. The coming months will reveal whether additional victims step forward or whether the full scope of the campaign remains hidden.

See Also

• Air India Launches Cloud Chasers to Win Back US Travelers
• Early Care Scheme Could Prevent Thousands of Miscarriages Yearly