The notorious cyber gang UNC3944 – the crew suspected of involvement in the recent attacks on Snowflake and MGM Entertainment, and much more besides – has changed its tactics and is now targeting SaaS applications

According to Google Cloud's Mandiant threat intelligence team, UNC3944's activities have plenty of overlap with the attack group known variously as "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider." The group initially used credential-harvesting and SIM-swapping attacks in its operations, moving on to ransomware and extortion, but has now transitioned to "primarily extortion, without the use of ransomware."

Mandiant claimed it has heard recordings of UNC3944's calls to the company's help desk, during which it attempts to attack social engineers.

"The threat actors spoke in clear English and targeted accounts with high privilege potential," Mandiant researchers wrote last week. In some cases, the callers already had the victims' personally identifiable information – allowing the attackers to bypass identity verification checks.