The FBI Issues Alert on Cybercriminal Groups UNC6040 and UNC6395
The U.S. Federal Bureau of Investigation (FBI) has released a flash alert detailing indicators of compromise (IoCs) linked to cybercriminal groups UNC6040 and UNC6395. These groups are responsible for a series of data theft and extortion attacks targeting organizations’ Salesforce platforms.
UNC6395 has been identified as a threat group that conducted a data theft campaign targeting Salesforce instances in August 2025. The attack exploited compromised OAuth tokens for the Salesloft Drift application, which was made possible due to a breach of Salesloft’s GitHub account.
Following the breach, Salesloft has taken steps to enhance security measures, including implementing new multi-factor authentication processes and GitHub hardening measures.
UNC6040, on the other hand, is a financially motivated threat group that has engaged in vishing campaigns to hijack Salesforce instances for data theft and extortion. These attacks involve the use of modified Salesforce applications and custom Python scripts to exfiltrate data.
Google has attributed the extortion activities to another group tracked as UNC6240, which has been identified as the ShinyHunters group. These groups have been using phishing panels and social engineering tactics to access victims’ data.
Recent developments include the collaboration of various cybercrime groups to consolidate their efforts, with one group announcing their retirement on their Telegram channel.
While the reasons for the retirement are unclear, it is important for organizations to remain vigilant as threat groups may resurface under different names. Stolen data can resurface, undetected backdoors may persist, and actors may re-emerge in the future.
It is essential for organizations to stay proactive in their security measures and operate under the assumption that threats have not disappeared, but have only adapted to new tactics.
