UNC6040 and UNC6395: Why the FBI is Worried About These Salesforce Threats

UNC6040 and UNC6395 are emerging threat actors in the high-stakes world of cybersecurity, constantly evolving their tactics to target cloud-based platforms that hold sensitive business data. The FBI’s recent FLASH alert shines a spotlight on these groups—known for infiltrating Salesforce environments to steal valuable information and launch extortion schemes. If your organization relies on Salesforce for customer relationship management (CRM), this should be on your radar. In this article, we’ll unpack who these actors are, how they’re operating, the risks they pose, and why the FBI is sounding the alarm, along with steps to safeguard your systems.

The Rise of UNC6040 and UNC6395: Profiles of the Threat Actors

UNC6040 and UNC6395 are designations used by cybersecurity researchers to track clusters of cybercriminals without attributing them to specific nation-states or organizations. These labels help in analyzing patterns without revealing sensitive intelligence.

• UNC6040: First identified by Google Threat Intelligence (formerly Mandiant) in June 2025, this group has been active since late 2024. They’re closely linked to the notorious ShinyHunters extortion gang and show overlaps with other actors like Lapsus$ and Scattered Spider, who rebrand themselves as “Scattered Lapsus$ Hunters.” UNC6040 specializes in social engineering to gain a foothold in corporate networks, particularly targeting Salesforce users.
• UNC6395: This newer cluster emerged in mid-August 2025 (activities tracked from August 8th to 18th), exploiting stolen credentials from third-party integrations. Like UNC6040, they’re tied to ShinyHunters and the Scattered Lapsus$ Hunters collective. Their operations stem from a March 2025 breach of Salesloft’s GitHub repositories, where attackers stole OAuth and refresh tokens for Salesloft’s Drift integration.

These groups aren’t lone wolves; they’re part of a broader ecosystem of data thieves who monetize stolen information through extortion, often leaking samples on forums to pressure victims.

Tactics, Techniques, and Procedures: How UNC6040 and UNC6395 Are Breaching Salesforce

Both actors focus on Salesforce, a cornerstone CRM tool for countless businesses, but their entry points differ, highlighting the dangers of human error and supply chain weaknesses.

• UNC6040’s Approach: They rely heavily on social engineering, including vishing (voice phishing) calls where attackers pose as IT support. Victims are tricked into connecting malicious OAuth apps, such as renamed tools like “My Ticket Portal,” to their Salesforce accounts. Once authorized, the attackers use Salesforce Data Loader to mass-exfiltrate data from key tables like “Accounts” and “Contacts,” which contain customer details, emails, and business intelligence.
• UNC6395’s Approach: This group capitalizes on stolen tokens from Salesloft Drift, a sales engagement platform integrated with Salesforce. Using these compromised OAuth and refresh tokens, they access support case information within Salesforce instances. From there, they mine the data for high-value secrets—AWS keys, passwords, Snowflake tokens, and more—to pivot to other cloud services. In some cases, they’ve even stolen Drift Email tokens to infiltrate Google Workspace accounts and siphon emails.

These tactics exploit the trust in OAuth mechanisms and employee interactions, bypassing traditional perimeter defenses. The result? Rapid data theft that can go undetected for weeks.

The Risks: Data Theft, Extortion, and Broader Implications

The FBI’s concern stems from the escalating impact of these intrusions. UNC6040 and UNC6395 aren’t just stealing data for fun—they’re using it for extortion, posting samples on cybercrime forums to coerce payments. The stolen Salesforce data often includes sensitive customer records, which can lead to identity theft, regulatory fines under laws like GDPR or CCPA, and reputational harm.

Worse still, the groups have claimed access to ultra-sensitive systems, such as the FBI’s E-Check background check platform and Google’s Law Enforcement Request system. This could enable impersonation of authorities or unauthorized access to law enforcement records, amplifying risks for government contractors and critical infrastructure.

Affected sectors span technology (e.g., Cisco, Cloudflare, Palo Alto Networks), retail and fashion (e.g., Louis Vuitton, Adidas), insurance (e.g., Allianz, Farmers), travel (e.g., Qantas), and more. Since late 2024, these actors have hit dozens of high-profile targets, with the FBI noting a “rising number of data theft and extortion intrusions.” For businesses, the fallout includes financial losses from ransoms, legal battles, and supply chain disruptions if credentials lead to lateral movement in cloud environments.

In essence, these threats underscore a vulnerability in cloud-native apps: even robust platforms like Salesforce can be weaponized if integrations and user access aren’t locked down.

The FBI’s Warning: A Call to Action

The FBI’s September 12, 2025, FLASH alert—titled “Indicators of Compromise Associated with Malicious Cyber Actors Compromising Salesforce Customer Relationship Management Software”—is a direct response to these threats. Released via the Internet Crime Complaint Center (IC3), it disseminates Indicators of Compromise (IOCs) like IP addresses, domains, and file hashes to help organizations detect and block these actors. The alert emphasizes maximizing awareness for network defense, warning that UNC6040 and UNC6395’s activities could evolve further.

Why the worry? The FBI sees these groups as part of a trend toward targeted extortion in cloud services, potentially affecting national security if sensitive data falls into the wrong hands. As one expert noted in the alert context, “These intrusions represent a significant risk to both private sector entities and public safety.”

Mitigation Steps: Protecting Your Salesforce Environment

The good news is that proactive measures can thwart these actors. Salesloft has already revoked all Drift tokens and mandated reauthentication for customers, but organizations must go further. Here’s a step-by-step guide based on FBI recommendations and best practices:

1. Monitor for IOCs: Review the FBI’s full alert (available at ic3.gov) for the latest indicators. Use tools like SIEM systems or threat intelligence platforms to scan your network for suspicious IPs, domains, or OAuth app connections.
2. Secure OAuth and Integrations: Audit all third-party apps connected to Salesforce, especially Salesloft Drift. Revoke unnecessary permissions, enforce multi-factor authentication (MFA) for app approvals, and regularly rotate tokens. Disable legacy OAuth flows if possible.
3. Combat Social Engineering: Train employees on vishing and phishing red flags—never approve unknown app connections without verification. Implement just-in-time access for Salesforce Data Loader and similar tools.
4. Enhance Access Controls: Use Salesforce’s built-in features like IP restrictions, session policies, and event monitoring to detect anomalous data exports. Segment sensitive data in “Accounts” and “Contacts” tables to limit blast radius.
5. Conduct Regular Audits and Incident Response: Perform quarterly reviews of Salesforce logs for unauthorized access. Develop an incident response plan tailored to cloud breaches, including isolating compromised accounts and notifying affected parties.
6. Collaborate and Stay Updated: Partner with Salesforce for security advisories and enable their Shield platform for advanced logging. Report suspicions to the FBI via IC3.gov.

By implementing these steps, you can reduce your exposure and turn the tide against groups like UNC6040 and UNC6395.

Conclusion: Don’t Wait for the Knock

UNC6040 and UNC6395 represent a sophisticated evolution in cyber extortion, exploiting the very tools businesses depend on for growth. The FBI’s alert is a wake-up call: ignoring these threats could cost you dearly in data, dollars, and trust. If your organization uses Salesforce, audit your setup today and prioritize employee awareness. Cybersecurity is a shared responsibility—stay informed, act decisively, and keep your defenses ahead of the curve. For more insights, check resources from the FBI and Salesforce security teams.

Click here to read more blog articles!