GoogleData theft extortion groups are targeting professional, legal and financial services organizations by impersonating IT support, cybersecurity organizations said on Friday (June 5).
These groups pose as IT technicians remotely and in person, Mandiant and Google Threat Intelligence Suite Written on Friday Blog post.
In remote campaigns, groups begin contacting employees via emails about data migration or invoices, and then use these communications as an excuse to start phone conversations while pretending to be IT support. In these calls, they convince targets to host screen sharing sessions and download remote management and monitoring tools.
In actual campaigns, groups send individuals posing as IT technicians, enter corporate offices and attempt to steal data using USB storage media.
Once they gain access in either of these ways, the groups steal property legal agreements, personally identifiable information, financial records, and other highly sensitive data. They then begin ransom negotiations while threatening to publicly release the stolen data.
Between January and May, data theft extortion groups targeted dozens of organizations with these types of attacks, according to the post.
Advertisement: Scroll to continue
the FBI It reported in May that it had witnessed the behavior of a group called Silent Ransom Group (SRG). Data theft They have been carrying out extortion operations since at least 2022 and have been posing as IT department employees since the spring of 2026.
“While the SRG has harmed companies in numerous sectors including those in the insurance, finance, and healthcare sectors, the group has consistently targeted U.S.-based law firms since spring 2023,” the FBI said in a May 26 electronic intelligence publication.
Mandiant and Google Threat Intelligence Group said in a blog post on Friday that organizations can mitigate the threat of these types of attacks by educating employees about the threat; Verify the identities of all external contractors, technical staff and visitors; implementing conditional access controls for remote access; impose strict controls on management tools, remote monitoring and screen-sharing software; Disable read/write capabilities of all external USB storage devices; surveillance networks; Review authentication and access metrics.
“Organizations must move to a unified security posture that treats physical facility access control and endpoint-based device policies as equal components of their defensive perimeter,” the post said.
