Who watches the help desk when the help desk becomes the door? Google has flagged a fresh risk: a tracked threat actor known as UNC6783 is targeting business process outsourcing providers and, in doing so, is lifting corporate Zendesk support tickets that can offer entry to high‑value companies across multiple sectors.
What Google reported
Google identified and reported activity by a threat actor tracked as UNC6783 that is compromising business process outsourcing (BPO) providers. According to the report, UNC6783 is using those compromises to gain access to high‑value companies across multiple sectors and to steal corporate Zendesk support tickets.
What this means in practice
The technical foothold described by Google shifts the focus of intrusions away from target organizations themselves and toward their service providers. By compromising BPOs that handle customer support and related processes, the actor can reach systems—specifically corporate Zendesk instances—where sensitive operational and customer interactions are recorded. Google’s characterization links the compromise of these intermediaries directly to subsequent access to high‑value corporate environments.
Perspectives and implications
- Technologists: The pattern points to the need to treat suppliers and service providers as integral parts of an organization’s attack surface. The reported tactic—leveraging BPO compromises to harvest support tickets—underscores how third‑party access and shared platforms can be exploited to reach otherwise protected assets.
- Policymakers and risk managers: Cross‑sector exposure raises questions about systemic risk and the resilience of outsourced services. The Google report highlights an avenue through which a single, tracked adversary can potentially touch companies in different industries by targeting the providers they commonly use.
- Users and customers: Support tickets often document account issues, troubleshooting steps, and operational details; the theft of those records from corporate Zendesk systems could, according to Google’s findings, enable broader intrusions when an adversary leverages information obtained from a provider compromise.
- Adversaries: The campaign profile described by Google illustrates how compromising a small number of high‑access intermediaries can offer disproportionate reach into multiple target organizations, making BPOs attractive targets for operators seeking efficient routes to many victims.
Conclusion
Google’s report on UNC6783 spotlights a straightforward but potent calculus: attack the service provider, and you can reach many customers. The revelation reframes where defenders should concentrate controls and where policymakers should consider systemic safeguards. If the help desk can be a gateway, how will organizations and regulators adapt to defend the door?




