# Google Exposes UNC6783: New Threat Group Targeting Corporate Zendesk Support Tickets


Google's Threat Intelligence team has identified a previously unknown hacking group, UNC6783, actively stealing corporate support tickets from Zendesk accounts. The discovery marks another evolution in how threat actors are targeting the "shadow crown jewels" of enterprise infrastructure — the support ticketing systems where organizations inadvertently expose sensitive technical details, credentials, and system configurations.


## The Threat


UNC6783 represents a new addition to the growing roster of financially motivated hacking groups targeting business-critical SaaS platforms. Unlike attackers focused on ransomware deployment or mass data exfiltration, UNC6783 appears specifically interested in support tickets — the seemingly mundane records of customer interactions with technical support teams.


Key characteristics of UNC6783:

  • Highly targeted approach focusing on specific organizations
  • Sophisticated credential harvesting and account compromise techniques
  • Selective data theft rather than destructive attacks
  • Operations suggest Eastern European or Russian-speaking origins based on operational patterns

    • Google's findings indicate that UNC6783 has successfully compromised Zendesk accounts across multiple organizations, gaining unauthorized access to sensitive support ticket data that would normally be restricted to authorized support staff.


    ## Why Support Tickets Matter


    On the surface, support tickets appear harmless — they're simply records of customers reporting issues and receiving help. However, in practice, support tickets are goldmines of sensitive information:


    | Information Type | Security Risk |

    |---|---|

    | Technical specifications | Reveals infrastructure architecture and software versions |

    | Credentials and keys | Support staff often share temporary or permanent access tokens |

    | System configurations | Details about internal systems, databases, and integrations |

    | Security weaknesses | Customers often describe problems that expose security gaps |

    | Business intelligence | Information about deployments, partnerships, and timelines |

    | Authentication details | Password reset links, multi-factor authentication bypasses |

    | API endpoints and URLs | Internal resource locations and naming conventions |


    For an attacker, a single compromised Zendesk account provides a roadmap to an organization's technical infrastructure without triggering the alarms that would accompany direct penetration attempts.


    ## Technical Details: How UNC6783 Operates


    Based on Google's analysis, UNC6783 employs a multi-stage attack methodology:


    Stage 1: Initial Access

    The group uses credential harvesting campaigns and targeted phishing to obtain Zendesk login credentials for support staff. The initial compromise vector appears to target support team members through:

  • Spear-phishing emails with malicious attachments or links
  • Fake SSO login pages mimicking corporate identity providers
  • Credential stuffing attacks leveraging previously compromised username/password combinations

    • Stage 2: Account Compromise

    Once initial credentials are obtained, attackers attempt to maintain persistence by:

  • Disabling multi-factor authentication on compromised accounts
  • Adding backup email addresses for account recovery
  • Creating API tokens for persistent programmatic access
  • Establishing legitimate-looking sessions to avoid detection

    • Stage 3: Data Exfiltration

    With Zendesk access established, UNC6783 systematically exfiltrates support tickets by:

  • Exporting ticket archives through Zendesk's reporting features
  • Using API access to bulk download ticket data
  • Focusing on high-value targets within ticket queues
  • Covering tracks by deleting audit logs where possible

    • ## The Broader Context


    This discovery reflects a concerning trend in enterprise targeting. Support systems, help desks, and customer service platforms have become prime targets because they occupy a unique position in organizational security:


  • High information density: Support tickets concentrate sensitive data in one location
  • Lower security awareness: Support teams may not receive the same security training as infrastructure teams
  • Legitimate use case for data access: Attackers blend in with normal support activities
  • Trust-based design: Most support systems assume that anyone with valid credentials is authorized to access all tickets

    • UNC6783 joins a growing list of threat actors specifically targeting SaaS support platforms. Previous campaigns have targeted similar systems at other organizations, indicating this represents an established attack pattern rather than an isolated incident.


    ## Implications for Organizations


    The compromise of support tickets exposes organizations to cascading risks:


    Immediate Threats:

  • Secondary account compromise: Information in tickets may enable password resets or account takeovers
  • Infrastructure reconnaissance: Technical details accelerate targeted attacks against internal systems
  • Supply chain attacks: Customer information in tickets may be leveraged against connected organizations

    • Longer-term Exposure:

  • Competitive intelligence theft: Business strategies and roadmaps may be exposed
  • Targeted phishing: Personal information about employees enables highly convincing social engineering
  • Regulatory violations: Exposure of customer data may trigger compliance reporting requirements (GDPR, HIPAA, etc.)

    • Organizations should assume that any information shared in support tickets may now be compromised and accessible to sophisticated threat actors.


    ## Detection and Investigation


    Google recommends that organizations potentially affected by UNC6783 take immediate steps:


    1. Audit Zendesk access logs for unusual login patterns, particularly from unexpected geographic locations or IP ranges

    2. Review API token usage to identify unauthorized programmatic access

    3. Check for backup email addresses added to accounts during the compromise window

    4. Examine ticket exports to identify when bulk data may have been downloaded

    5. Verify MFA status across all support team accounts to ensure it wasn't disabled


    Organizations should treat any anomalous access as a potential breach requiring immediate incident response.


    ## Recommendations for Defense


    Immediate Actions:


  • Reset credentials for all support team members and revoke existing API tokens
  • Enforce strong MFA across all Zendesk accounts, preferably with hardware security keys
  • Review and restrict API token scope to limit damage from compromised tokens
  • Enable audit logging with extended retention to detect post-compromise activity
  • Implement IP allowlisting to restrict Zendesk access to known corporate networks

    • Systemic Improvements:


  • Classify support tickets and restrict access based on sensitivity levels
  • Implement field-level encryption for sensitive data within tickets (credentials, configurations)
  • Separate support accounts — create dedicated, limited-access accounts for routine support without access to sensitive historical tickets
  • Monitor for data exfiltration using SIEM systems to detect bulk ticket exports
  • Conduct security awareness training emphasizing proper handling of credentials and sensitive information in tickets

    • Long-term Strategy:


  • Evaluate support system architecture — consider whether support staff need access to all historical tickets
  • Implement least privilege access — grant support staff access only to tickets they need to resolve
  • Use secrets management — never share credentials in tickets; use dedicated credential management systems
  • Regular security audits of SaaS platform configurations and access controls

    • ## Conclusion


    The discovery of UNC6783's campaign against Zendesk users underscores that enterprise security threats extend far beyond firewalls and network perimeters. The support systems where organizations provide customer service have become critical security infrastructure requiring the same rigor applied to production environments. Organizations using Zendesk or similar support platforms should immediately audit their security posture and implement controls to prevent unauthorized access to support ticket systems.