Google’s Mandiant security researchers are tracking a surge of attacks that have the hallmarks of ShinyHunters campaigns, adding that the attacks appear to the work of not only the high-profile cybercrime group itself but also other threat groups.

The extortion-focused attacks, which have been underway since at least last month, feature tactics and techniques that are consistent with earlier ShinyHunters attacks, including the use of sophisticated voice phishing (vishing) schemes and credential harvesting sites that appear related to targeted companies, the researchers wrote in a report.

The bad actors gain access to corporate environments through stolen single sign-on (SSO) and multifactor authentication (MFA) codes and then target software-as-a-service (SaaS) applications to exfiltrate sensitive data and internal communications, which they then use in their extortion demands.

The researchers wrote that the Google Threat Intelligence Group (GTIC) is tracking three threat clusters – UNC6240 (which is ShinyHunters), UNC6661, and UNC6671 – as it looks to better understand how these may groups intertwine.

“While this methodology of targeting identity providers and SaaS platforms is consistent with our prior observations of threat activity preceding ShinyHunters-branded extortion, the breadth of targeted cloud platforms continues to expand as these threat actors seek more sensitive data for extortion,” the Mandiant researchers wrote. “Further, they appear to be escalating their extortion tactics with recent incidents, including harassment of victim personnel, among other tactics.”

Reports From All Over

The report came days after cybersecurity firm Silent Push outlined a campaign that appears to dovetail with what Mandiant found. Silent Push reported what its researchers called an active “massive identity-theft campaign” that is targeting Okta SSO and other SSO platform accounts across more than 100 “high-value enterprises.”

Again, the tactics, techniques, and procedures (TTPs) behind the campaign mirror those of SLSH, an alliance between ShinyHunters and two other high-profile threat groups, Scattered Spider and Lapsus$.

“This isn’t a standard automated spray-and-pray attack; it is a human-led, high-interaction voice phishing (‘vishing’) operation designed to bypass even hardened Multi-Factor Authentication (MFA) setups,” the Silent Push researchers wrote.

Custom Vishing Kits

In a report last month, Okta Threat Intelligence researchers noted that a number of custom phishing kits used by bad actors have been enhanced to be usable in vishing campaigns. The kits are available to threat groups as a service and are increasingly being used to target Google, Microsoft, Okta, and a range of cryptocurrency providers, they wrote.

The Mandiant researchers wrote that “while [Okta researchers] associate this activity with multiple threat clusters, at least some of the activity appears to overlap with the ShinyHunters-branded operations tracked by GTIG.”

Such campaigns are raising concerns about ShinyHunters ramping up its efforts to steal information and use it to extort companies. The threat group last week announced on X (formerly Twitter) that it had stolen 14 million records that contain the sensitive information of Panera Bread customers.

“ShinyHunters’ intensified aggressive campaign represents a substantial escalation in extortion-as-a-service,” said Noelle Murata, senior security engineer with cybersecurity vendor Xcape. ” The group has moved beyond simple data theft and are systematically eroding the digital trust of prominent brands. By releasing 14 million Panera Bread records, along with vast datasets from SoundCloud, Crunchbase, and Betterment, ShinyHunters is executing a rapid attack cycle that outpaces conventional incident response.”

A Shift in Tactics

Murata noted the group’s shift to compromising identity platforms via vishing-based SSO attacks, which, as Mandiant noted, is becoming a trademark of their efforts in this new year.

It “demonstrates that even strong security perimeters are susceptible to sophisticated, human-focused exploits,” she said. “This is not just a collection of isolated breaches; it’s a calculated ‘shaming campaign’ aimed at punishing companies that refuse to pay ransoms by permanently damaging their customer relationships through leaked personally identifiable information (PII).”

The campaigns outlined by Mandiant are relatively simple. The bad actors contact targets through vishing, send the victims a phishing link used to steal SSO and MFA credentials, and use those credentials to gain access into companies’ environments. From there, they compromise and steal information from cloud applications.

Company-Branded Attacks

The UNC6661 group, since mid-January have run a campaign in which it pretends to be part of a target company’s IT staff and contacts employees claiming that they are updating MFA settings. They’re directed to credential harvesting sites that appear to be legitimate sites of the company. Their SSO and MFA credentials are captured and the bad actor registers their own device for MFA.

“In at least one case, after conducting the initial data theft, UNC6661 used their newly obtained access to compromised email accounts to send additional phishing emails to contacts at cryptocurrency-focused companies,” the researchers wrote. “The threat actor then deleted the outbound emails, likely in an attempt to obfuscate their malicious activity.”

They attributed the extortion efforts after the compromise to ShinyHunters, noting a common account used for negotiations, the “ShinyHunters-branded extortion emails,” and the use of LimeWire to host samples of the stolen data.

Similar but Different

Vishing operations tagged to UNC6671 were similar to those of UNC6661, though there were some differences, such as using a different registry for its credential harvesting domains, PowerShell to download data from Microsoft SharePoint and OneDrive, and an unbranded extortion email. The threat actors also were aggressive in their extortion tactics, including harassing people within the victim company

“The extortion tactics and difference in domain registrars suggest that separate individuals may be involved with these sets of activity,” they wrote.

Along with the report, Mandiant also released a guide to proactive defense measures organizations can take.

“I think the big takeaway here for cybersecurity practitioners should be that this isn’t just data theft, it’s ammunition collection for future attacks,” said. Denis Calderone, COO and chief revenue officer for security firm Suzu Labs. “When we see that names, phone numbers, addresses, dates of birth have been collected from 14 million Panera customers, 30 million SoundCloud users, and 20 million Betterment account holders, we immediately start imagining the new phishing attacks that are almost certainly on their way.”