A threat actor designated UNC3753 has conducted a sustained data theft extortion campaign against organizations in the United States, according to new research from Google Mandiant and Google Threat Intelligence Group. The campaign, which ran from January through May 2026, specifically targeted entities in professional services, legal services, and financial services sectors.

The attackers focused on stealing sensitive data from victim organizations with the apparent intent to use it for extortion purposes. This approach represents a common tactic among financially motivated cybercriminal groups, who threaten to leak or sell stolen information unless victims pay a ransom. The campaign affected dozens of organizations across the targeted sectors.

Google's security teams tracked and analyzed the intrusion activity, ultimately attributing it to UNC3753, a threat actor that operates under multiple known aliases. The researchers documented the group's tactics and techniques throughout the five-month campaign period. The targeting of professional and legal services firms suggests the attackers sought access to confidential client information and sensitive business data that could be leveraged for extortion.

Organizations in the affected sectors face significant risks from data theft operations, including regulatory penalties, reputational damage, and potential legal liability if client information is compromised. The financial services industry in particular maintains strict data protection requirements under various regulatory frameworks. Legal and professional services firms also handle highly sensitive client matters that could be exploited if exposed.

Security teams at organizations in these sectors should review their data loss prevention controls and monitoring capabilities. Recommended actions include implementing network segmentation to limit lateral movement, deploying endpoint detection and response tools, conducting regular security assessments, and establishing incident response procedures for data theft scenarios. Organizations should also review access controls to sensitive data repositories and implement multi-factor authentication across all systems handling confidential information.

Source: https://thehackernews.com/2026/06/unc3753-used-vishing-and-physical.html