UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign

Google Mandiant and Google Threat Intelligence Group (GTIG) identified UNC3753 as the operator behind a data theft extortion campaign targeting U.S. organizations from January through May 2026. The threat actor combined vishing attacks with physical break-ins to compromise companies in professional services, legal, and financial sectors.

UNC3753 employed social engineering tactics to gain initial access. Operators conducted vishing calls impersonating vendors or service providers, manipulating employees into revealing credentials or granting network access. Once inside systems, attackers exfiltrated sensitive data. The group then escalated pressure by conducting physical intrusions at target facilities, demonstrating their ability to access physical premises and reinforcing extortion demands.

This hybrid approach heightened victim coercion. Organizations faced dual threats: compromised digital infrastructure and evidence of physical security breaches. The combination signaled that attackers possessed operational resources spanning both cyber and physical domains, making threats more credible and urgent to victims.

UNC3753 targeted dozens of organizations across multiple high-value sectors. Professional services firms, law offices, and financial institutions hold client data, intellectual property, and sensitive business records. These assets command premium extortion demands.

The campaign reveals an escalating threat trend. Financially motivated actors increasingly layer techniques to maximize pressure on victims. Vishing reduces dependency on technical exploits, making campaigns work across organizations regardless of patch status. Physical intrusions eliminate deniability. Victims cannot dismiss threats as theoretical when attackers demonstrate knowledge of facility layouts and security measures.

Organizations in targeted sectors should strengthen vishing defenses through employee awareness training and call verification protocols. Two-factor authentication limits damage from compromised credentials. Physical security teams need briefing on potential social engineering tactics used to gain facility access. Incident response plans should account for coordinated digital and physical attacks.

Law enforcement coordination and threat intelligence sharing help track UNC