How Google finds itself the victim of a cyber attack which he himself had documented

It is a research paper that has continued to be updated since its first publication on June 4, 2025.

In this article. Furthermore, the cybersecurity research team of Google Threat Intelligence dissects the methods of a sophisticated attack based on social engineering.

In a first note added on August 5, Google announces that its teams were themselves deceived by cybercriminals. For example, Then. Moreover, on how google finds itself victim August 8, two new updates come to specify the situation: the first informs that the customers concerned by the data leak will receive a notification email, the second announces the closure of the incident, all the victims having officially been alerted.

The title of the paper perfectly sums up the facts: ” The Cost of a Call: From Voice Phishing to Data Extortion “. Therefore, Which can be translated as” The price of a call: from voice to data extortion ». Consequently, For several months. a malicious actor has diverted the Salesforce platform to trap employees of large companies and access customer information.

The attack. which has targeted Google and other companies, is particularly sneaky: a false computer support calls an employee and leads it to authorize, via Salesforce, a rigged version of the Data Loader tool. This fraudulent application then offers hackers access to databases, without exploiting technical flaws, only by human manipulation.

How google finds itself victim

Who hides behind this attack?

Google Threat Intelligence researchers designate the cybercriminal group under the name of UNC6040. A temporary name (UNC being the diminutive of UNCATEGORIZED) before being able to formally attribute the attack to a. cybercriminal group.

For its part. the American media Bleeping Computer declares to be in contact with some of how google finds itself victim these hackers, formally associated with Shinyhuters. A specialized group, precisely, in the extortion of data for several years.

In these anonymous communications, pirates claim not to act alone. They would work in close collaboration with another group, specialized in Ransomware: Scattered Spider. “” They provide us with the initial access and we carry out the copy and exfiltration of the Salesforce CRM instances. »

Large groups as a privileged target

In an interview with Numerama in July 2025. Adam Meyers, vice-president of defense of threats at Crowdstrike, also confided that Scatotered Spider represented one of the most viewed threats to businesses.

According to the expert. their particularly effective method would reflect the evolution of threats to organizations: “ Identity and Cloud are the two largest vectors by which cybercriminals are introduced. It would be important for people to understand that rather than trying to break into malware. opponents are how google finds itself victim content to steal identities and connect as legitimate users, which is very difficult to follow. »

It is precisely this type of method that hit the bull’s eye at Google. other large groups victims of this cyber attack by Salesforce.

Via a press release addressed to the press. ESET researchers alerted, this Monday, August 11, 2025, on the risks that a union union could weigh between Shinyhunters and Scattered Spider.

Is Air France part of the list of victims? The hypothesis is taken seriously. The French airline has recently been the victim of a “data violation”. but for the time being, no official has been formally pointed out. In early July 2025, the FBI also pointed out that Scatotered Spider had set its sights on the air sector.