🛡️ SecOps

UNC3753: Vishing Calls Combined With Physical Office Intrusions in U.S. Data Theft Extortion Campaign

Threat group UNC3753 has been documented combining voice phishing (vishing) with physical office intrusions to conduct data theft and extortion against U.S. organisations. The group uses vishing to gather employee credentials and facility access information, then deploys operatives physically to compromise targets. The hybrid TTPs represent a significant escalation in social engineering attack sophistication.

4 min read
#unc3753#vishing#social-engineering#physical-security#insider-threat#extortion#data-theft#hybrid-attack

Mandiant has documented UNC3753, a financially motivated threat group conducting data theft extortion against U.S. organisations, using a combination of voice phishing (vishing) and physical office intrusion. The group’s operational pattern — documented across multiple confirmed incidents — uses vishing calls to extract employee credentials and building access information before deploying operatives who physically enter target facilities to access workstations and server rooms.

The technique combines the social engineering effectiveness of vishing (which has a significantly higher success rate than email phishing) with the access advantages of physical presence. An operative who has obtained valid employee credentials and badge access information via vishing can walk into a target facility, access internal systems that are not internet-facing, and exfiltrate data via USB or direct network connection without triggering remote-access detection controls.

UNC3753 TTP Profile

Initial vishing phase:

The group conducts targeted reconnaissance of employee names, roles, and responsibilities using LinkedIn and public corporate directories. Operatives place calls to employees, typically impersonating:

  • IT helpdesk staff requesting credential verification for a system upgrade
  • Corporate security personnel investigating an account compromise
  • HR representatives for benefit or payroll-related credential collection
  • Executives’ assistants requesting access badge updates

The vishing calls use VoIP numbers with caller ID spoofing to display internal company phone numbers or known vendor numbers. Employees who receive a call from what appears to be the internal IT helpdesk number are significantly more likely to comply with credential requests than those receiving external calls.

Physical intrusion phase:

Using credentials and building access information gathered via vishing, operatives enter target facilities during business hours. In documented incidents, operatives posed as:

  • IT contractors for scheduled maintenance
  • Delivery personnel
  • Cleaning and facilities staff
  • Third-party auditors

Once inside, operatives accessed unattended workstations, plugged in USB devices for data exfiltration, accessed server rooms where physical access was possible, and in some cases installed persistent remote access hardware (small form-factor devices connected to network ports in equipment rooms or conference rooms).

Extortion phase:

Following data exfiltration, UNC3753 contacts the target organisation’s leadership directly (via email or phone), presents evidence of the exfiltrated data, and demands payment to prevent publication. The group operates exclusively as an extortion actor — no ransomware deployment.

Detection and Prevention Controls

Technical controls against vishing:

  • Caller ID verification policy: Establish an IT helpdesk policy that legitimate helpdesk calls will never request passwords, MFA codes, or badge access information over the phone. Train employees to call back on a known-good number before providing credentials to any inbound caller.
  • Privileged access management: Ensure that credential resets and access changes cannot be authorised based on phone or email requests alone — require in-person verification or MFA-verified request through a ticketing system.
  • Inbound call monitoring: Evaluate whether inbound calls to critical departments (IT helpdesk, security, HR, finance) should be screened or recorded for unusual credential-request patterns.

Physical security controls:

  • Visitor management: All visitors to non-public areas should be logged, badged, and escorted. Unescorted visitors in office or server areas should be challenged by any employee.
  • Tailgating prevention: Physical security awareness training for all employees on tailgating (following an employee through a secured door without badging in). Badge access logs should flag entries where two people transited one badge event.
  • Server room access control: Server room and network closet access should be badge-controlled with access logs reviewed weekly. Equipment plugged into server room network ports should be inventoried.
  • USB port controls: Enforce Group Policy or endpoint configuration management policies that block USB mass storage devices on all workstations and servers. Physical USB port blockers in high-security areas.

Detection indicators:

  • Badge access log anomalies: entries at unusual times, entries by employees not expected to be in the office
  • Workstation access after business hours from accounts not belonging to staff on-call
  • New network devices appearing on internal LAN segments, particularly in server rooms or network closets
  • USB storage device connection events on workstations in areas that were accessed by visitors

Share this article