UNC3753 Executing Sustained Vishing Campaign Against US Legal Services
UNC3753 conducted a financially motivated data theft extortion campaign from January to May 2026 targeting US law firms and financial services using vishing and social engineering to gain remote access. The group's focus on high-value professional services sectors and reliance on human manipulation rather than technical exploits makes this a persistent threat requiring non-technical defences.
Affected
UNC3753 represents a mature financially motivated threat cluster that has deliberately abandoned technical exploitation in favour of reliable social engineering. The campaign ran for at least five months targeting dozens of organisations in high-value sectors, indicating sustained operational capability and victim selection discipline. Rather than exploiting software vulnerabilities, the group masquerades as IT support and leverages contextual pretexts (data migration, invoice handling) to establish trust before requesting remote access credentials or system access.
The tactical approach is noteworthy: vishing combined with social engineering deception creates multiple failure points in traditional security defences. Firewalls, endpoint protection, and vulnerability management are irrelevant when attackers bypass authentication entirely through human manipulation. Law firms represent ideal targets due to their handling of high-value intellectual property, client data, and financial information, coupled with often-distributed workforces where IT support legitimacy is harder to verify.
Organisations in affected sectors face substantial risk beyond the immediate data theft. The extortion component suggests the group maintains operational persistence within victim environments long enough to identify and exfiltrate sensitive data before demanding payment. This implies either weak internal detection capabilities or deliberate dwell time exploitation. Defenders should assume that traditional breach response assumes technical indicators of compromise, but vishing-based intrusions may lack the forensic evidence that endpoint detection systems flag.
Defence requires a fundamental shift from technology-centric to human-centric security. Mandatory call verification procedures where employees independently verify caller identity through known contact numbers, role-based access controls that prevent single employees granting remote access, and multi-person approval for credential issuance are baseline controls. Security awareness training must move beyond annual compliance modules to scenario-based reinforcement of social engineering red flags, particularly for administrative staff handling access requests.
The five-month operational window suggests limited detection and reporting by victims, raising concerns about the true scope of the campaign. Law firms may lack adequate security monitoring or may be managing incidents privately. Future campaigns will likely continue targeting professional services given the sector's combination of valuable data, distributed operations, and weaker technical defences compared to enterprise technology companies.
Sources