UNC3944 Hackers Acquire Corporate Logins Using SMS Phishing And Support Desk Calls

A financially driven threat group, UNC3944 has frequently employed phone-based social engineering and SMS phishing attacks to gain credentials and escalate access to target organizations.

The hacking group has been observed to target a wide range of businesses, including hospitality, retail, media and entertainment, financial services, and telecommunication and business process outsourcer (BPO) firms.

According to Mandiant, due to the group’s geographic diversity, it has shown a larger concentration on stealing huge amounts of confidential data for extortion and they appear to be familiar with Western commercial practices.

Additionally, UNC3944 has routinely used freely accessible tools, legal software, and malware that can be purchased on darknet forums.

Tactics, Techniques, And Procedures (TTPs)

To gain initial access to its victims, UNC3944 mainly depends on social engineering. They routinely call victim help desks and use SMS phishing operations to change passwords or get multifactor bypass codes.

Particularly, to avoid detection by security monitoring technologies, threat actors employed commercial, residential proxy services to reach their victims from the same neighborhood.

“The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating large volumes of data over a few days,” according to the information shared with Cyber Security News.

Focusing on password managers or privileged access management systems accomplishes privilege escalation.

UNC3944 attack
UNC3944 attack lifecycle

Threat actors tend to target business-critical virtual machines and other systems, particularly when delivering ransomware, perhaps to do as much damage to the victim as possible.


Deploy Advanced AI-Powered Email Security Solution

Protect your Business Email from threats like tracking, blocking, modifying, phishing, account takeover, business email compromise, malware, and ransomware with Trustifi’s AI-powered email security solution.

Further, they utilize aggressive communication techniques to interact with victims, including posting threatening notes in text files on computers, sending emails and SMS messages to executives, and hacking into the channels that victims use to respond to issues.

Researchers mention that “threat actors will continue to improve their tradecraft over time and may leverage underground communities for support to increase the efficacy of their operations.”

“They may use other ransomware brands and/or incorporate additional monetization strategies to maximize their profits in the future”.


  • Enforce Microsoft Authenticator with number matching and delete SMS as an MFA verification option.
  • Ensure the security of MFA and SSPR registration by forcing users to authenticate from a trusted network location and/or by guaranteeing device compliance.
  • Create a Conditional Access Policy that restricts external access to Microsoft Azure and Microsoft 365 administration features by requiring users to authenticate from a trusted network location and/or ensure device compliance.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.