Menu
Browse

Cyber Threat Actor: UNC6040

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
—
7 incidents
Profile

UNC6040, also known as INC, operates as a financially motivated threat cluster engaging in multi-phase extortion schemes. This actor employs voice phishing campaigns impersonating IT support personnel to deceive employees into authorizing malicious Salesforce Data Loader applications, enabling unauthorized access to sensitive business contact databases. Stolen data serves as leverage for Bitcoin ransom demands, with false flag operations occasionally misattributing responsibility to the 'ShinyHunters' group. The group demonstrates adaptability in tooling, transitioning from standard utilities to custom Python scripts while maintaining operational security through anonymizing services like Mullvad VPN and TOR networks. Extortion timelines reveal deliberate patience, with months sometimes elapsing between initial breaches and ransom threats.

Healthcare institutions and corporate entities represent confirmed targets, evidenced by operations against UK hospital networks and organizations using Salesforce platforms. The 2024 attack on Alder Hey Children's NHS Foundation Trust, Liverpool Heart and Chest Hospital, and Royal Liverpool University Hospital compromised years of sensitive patient records including medical histories and financial details, showcasing the actor's capacity to disrupt critical infrastructure. INC publicly claimed responsibility by leaking screenshots of exfiltrated data, though hospital services remained operational during restoration efforts. This incident highlighted coordination with UK law enforcement and regulatory bodies like the Information Commissioner’s Office during breach response.

Ransomware deployment and data extortion define the group's core methodology, with the INC moniker explicitly linked to encrypting hospital systems and exfiltrating information for double extortion. The 2025 campaign revealed expanded tradecraft through business email compromise attacks tailored to Salesforce environments, indicating reconnaissance of specific SaaS platforms. While no direct state affiliations or criminal consortium partnerships are documented, the actor's false attribution tactics and Bitcoin payment demands align with financially driven cybercriminal ecosystems. Persistent use of anonymization technologies and delayed extortion timelines suggest deliberate operational security measures to complicate attribution and recovery efforts. Their activities underscore a consistent focus on monetizing stolen data through psychological pressure and reputational harm against victims.

Incidents
Attributed incidents available to members
7 incidents
Sources
Sources available to members
0 sources