UNC6395 | Threat Actor Profile

UNC6395 is a threat cluster tracked by Google Threat Intelligence Group (GTIG) and Mandiant, responsible for the August 2025 Salesloft Drift supply chain breach — one of the largest SaaS supply chain compromises on record. The actor spent months quietly inside Salesloft's GitHub environment before pivoting into Drift's AWS infrastructure to steal OAuth integration tokens, then used those tokens to systematically query and exfiltrate Salesforce data from more than 700 organizations globally. The primary objective was credential harvesting: AWS access keys, Snowflake tokens, VPN credentials, and passwords stored inside Salesforce support cases and records.

attributed origin Unknown — China-nexus assessed by AppOmni based on tactics and targeting; Google and Mandiant have not confirmed nation-state affiliation

suspected sponsor Unknown — financial motivation confirmed; espionage intent unconfirmed but consistent with credential harvesting at scale

first observed March 2025 (Salesloft GitHub access); August 8, 2025 (active Salesforce exfiltration begins)

primary motivation Credential harvesting — AWS keys, Snowflake tokens, passwords extracted from Salesforce data for downstream attacks

primary targets Any organization using the Salesloft Drift–Salesforce integration; technology, cybersecurity, financial services, cloud platforms

known campaigns 1 confirmed major operation (Salesloft Drift, Aug 2025); 700+ victim organizations

mitre att&ck group Unassigned (new cluster, no formal MITRE designation as of 2026)

target regions Global — primarily North America, Europe; any Salesloft Drift customer worldwide

threat level CRITICAL

Overview

UNC6395 represents a new class of cloud threat actor — one that never directly attacked its ultimate victims. Instead, it compromised a trusted third-party SaaS vendor, stole the credentials that vendor used to connect to customers, and then walked into hundreds of enterprise environments using those legitimate tokens as keys. No exploitation of a software vulnerability. No phishing of the end targets. Just a systematic abuse of the trust relationships that underpin modern SaaS ecosystems.

The actor's primary staging ground was Salesloft, a sales engagement platform that integrated with Drift — a conversational AI chatbot used for lead generation and customer chat. Drift maintained persistent OAuth connections to Salesforce, Google Workspace, and other platforms on behalf of its customers. Those OAuth tokens, stored in Drift's AWS infrastructure, became the pivot point for the entire campaign.

Initial access predated the breach by months. Mandiant's forensic investigation confirmed that UNC6395 gained access to Salesloft's GitHub account as early as March 2025 — five months before the active exfiltration window. During that dwell period, the actor downloaded content from multiple private repositories, added a guest user to the environment, and established workflows. Investigators found reconnaissance activity in both the Salesloft and Drift environments but no evidence of deeper compromise in Salesloft's core application. The actor's interest was narrowly focused on Drift's AWS environment, where OAuth tokens for customer integrations were stored.

Between August 8 and 18, 2025, UNC6395 used those stolen tokens to access Salesforce environments at scale. The methodology was deliberate: the actor first ran reconnaissance queries to count record volumes before selectively pulling detailed user and case data. Bulk API 2.0 was used for mass export. Query jobs were deleted post-exfiltration in an attempt to cover tracks — though audit logs were not affected and organizations were still able to reconstruct attacker activity from retained log data.

The breach was not limited to Salesforce. Google's subsequent investigation confirmed that Drift Email tokens were also compromised, enabling access to a small number of Google Workspace accounts. Drift's connections to Slack and other cloud storage platforms were also assessed as potentially exposed, prompting Google to advise that all Drift-issued tokens be treated as compromised regardless of platform.

attribution note

Google and Mandiant have not formally attributed UNC6395 to a nation-state. AppOmni researchers assessed China-nexus affiliation based on tradecraft and targeting; Cloudflare's Cloudforce One tracks the same cluster as GRUB1. Obsidian Security noted possible overlap with ShinyHunters or Scattered Spider, but no confirmed relationship exists. The FBI's September 14, 2025 Flash Advisory (CSA-2025-250912) treated UNC6395 and UNC6040 as separate, distinct clusters with different initial access vectors. This profile treats UNC6395 as a distinct unattributed threat cluster.

Attack Timeline

The Salesloft Drift campaign unfolded over approximately six months, with a long dwell period preceding a compressed active exploitation window.

March – June 2025

Salesloft GitHub compromise and reconnaissance. UNC6395 gains access to a Salesloft GitHub account through unknown means (Salesloft has not disclosed the initial access vector). The actor downloads content from multiple private repositories, adds a guest user, and establishes workflows. Reconnaissance is also detected in the Salesloft and Drift application environments. No deeper compromise of the Salesloft core platform is confirmed by Mandiant.

Late June – Early August 2025

Pivot to Drift AWS and OAuth token theft. Using access obtained through the Salesloft environment, UNC6395 pivots to Drift's Amazon Web Services infrastructure. The actor extracts OAuth tokens for Drift customers' technology integrations — including Salesforce, Google Workspace, and other platforms. These tokens authorize Drift to act on behalf of customer organizations without requiring passwords or MFA.

August 8 – 18, 2025

Active Salesforce exfiltration across 700+ organizations. UNC6395 uses the stolen OAuth tokens to access Salesforce customer instances. The actor runs reconnaissance SOQL queries to assess record volumes, then executes Bulk API 2.0 exports of Users, Accounts, Cases, and Opportunities objects. Post-exfiltration, bulk query jobs are deleted. Threat intelligence indicators include Tor exit node traffic, VPS infrastructure (Hetzner, DigitalOcean ranges), and anomalous User-Agent strings. Evidence of data exfiltration begins August 12 according to Mitiga Labs.

August 9, 2025

Google Workspace access confirmed. A Drift Email OAuth token is used to access a small number of Google Workspace accounts that had been configured to integrate with Salesloft Drift. Google identifies the impacted users and revokes the specific OAuth tokens.

August 20, 2025

Containment. Salesloft, in coordination with Salesforce, revokes all active Drift access and refresh tokens. Salesforce removes the Drift application from the AppExchange pending further investigation. Salesloft engages Mandiant on August 28 to lead the forensic investigation.

August 26, 2025

Google GTIG public advisory. Google Threat Intelligence Group publishes a blog post attributing the campaign to UNC6395 and confirming the broad scope of the compromise. FINRA issues a separate Cybersecurity Alert to member firms. Affected organizations including Zscaler, Palo Alto Networks, Cloudflare, Proofpoint, CyberArk, and BeyondTrust begin disclosing publicly.

August 28, 2025

Scope expanded. Google updates its advisory confirming the compromise is not limited to the Salesforce integration. All Drift integration tokens — including those for Google Workspace, Slack, and cloud storage — are assessed as potentially compromised. Organizations are instructed to treat all Drift-issued tokens as exposed.

September 7–8, 2025

Root cause disclosed. Salesloft publishes Mandiant's investigation findings, confirming the GitHub account compromise as the point of initial access. Key details about how the GitHub account was accessed remain undisclosed. Salesforce restores the Salesloft integration but keeps Drift disabled. Cloudflare's Cloudforce One attributes the campaign to GRUB1.

September 14, 2025

FBI Flash Advisory. The FBI issues Flash Advisory CSA-2025-250912, warning organizations about both UNC6395 and UNC6040 targeting Salesforce environments through distinct attack vectors. The advisory treats the two clusters as separate, unrelated operations.

November 2025

Gainsight follow-on campaign. Investigators link a November 2025 compromise of Gainsight — another Salesforce-integrated platform — to the same broader campaign. More than 200 additional Salesforce customers have data accessed via Gainsight apps. The actor is assessed to have reused knowledge and credentials from the Salesloft Drift wave to compromise Gainsight.

Target Profile

UNC6395's victim selection was determined almost entirely by integration topology rather than industry sector. Any organization that had deployed the Salesloft Drift–Salesforce integration was a potential target. The actor did not need to know who the targets were in advance — the OAuth tokens in Drift's AWS environment provided a pre-assembled list of authorized connections.

Technology and cybersecurity firms: Among the confirmed victims are Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, CyberArk, Elastic, Rubrik, BeyondTrust, SpyCloud, Tanium, Tenable, Qualys, BugCrowd, and PagerDuty. The concentration of cybersecurity vendors in the victim list is notable — these organizations store security-relevant configuration data, API keys, and threat intelligence in their Salesforce CRM environments.
Financial services: FINRA-member firms and their third-party vendors are confirmed affected, with FINRA issuing a direct advisory to member firms. Financial sector organizations were specifically targeted for the AWS access keys and credentials stored in Salesforce support cases.
Cloud infrastructure providers: Cloudflare disclosed that 104 API tokens were accessed in support cases stored in Salesforce. While Cloudflare rotated those tokens as a precaution, the exposure demonstrates that cloud infrastructure credentials regularly flow through CRM systems.
Any Salesloft Drift customer: The supply chain nature of the attack means victim selection was opportunistic within the Drift customer base. Organizations across retail, healthcare, manufacturing, and services are also among the 700+ affected, though many have not made public disclosures.

Tactics, Techniques & Procedures

UNC6395's TTPs reflect a sophisticated, patient adversary with strong operational security awareness and a clear understanding of how SaaS integration architectures can be weaponized. The campaign avoided all conventional intrusion indicators — no exploitation of software vulnerabilities, no malware on end-user machines, no direct attacks on victim organizations.

mitre id	technique	description
T1195.003	Supply Chain Compromise — Compromise Software Dependencies	Initial access to Salesloft's GitHub account enabled the actor to compromise the Drift application's supply chain. By gaining access to private repository content and Drift's AWS environment, UNC6395 turned a trusted third-party integration into an attack vector against hundreds of downstream customers.
T1078.004	Valid Accounts — Cloud Accounts	Stolen Drift OAuth tokens represented pre-authorized cloud service credentials. Tokens granted API-level access to Salesforce, Google Workspace, and other platforms, bypassing MFA entirely — because OAuth tokens represent an already-authenticated application session, not a user credential flow.
T1550.001	Use Alternate Authentication Material — Application Access Token	The core technical mechanism of the campaign. Drift OAuth tokens stored in AWS were extracted and used to impersonate the Drift application to Salesforce, Google Workspace, and other connected services. Victims had no way to distinguish token-authenticated Drift API calls from legitimate Drift usage without behavioral anomaly detection.
T1213.002	Data from Information Repositories — Salesforce	SOQL (Salesforce Object Query Language) was used to systematically retrieve records from Users, Accounts, Cases, and Opportunities objects. The actor first ran reconnaissance COUNT() queries to assess record volumes before executing selective bulk exports — a pattern consistent with intent to prioritize and stage exfiltration efficiently.
T1530	Data from Cloud Storage	Salesforce Bulk API 2.0 was used to export large volumes of record data. The actor searched exported data specifically for plaintext secrets: AWS access keys (AKIA prefix), Snowflake connection tokens, VPN credentials, and corporate passwords stored in case text fields and attachments.
T1070.001	Indicator Removal — Clear Windows Event Logs (analog: delete query jobs)	After completing each Salesforce bulk export, the actor deleted the associated Salesforce query job records — the audit artifacts that would most directly show what data was exported. However, event-level logs were not affected, allowing forensic reconstruction of attacker activity from audit log entries that survived the cleanup.
T1090.003	Proxy — Multi-hop Proxy	Activity was routed through Tor exit nodes and commercial VPS providers including Hetzner and DigitalOcean ranges. This infrastructure pattern is consistent across the active exfiltration phase and was used to obscure the actor's true network origin.
T1589.003	Gather Victim Identity Information — Employee Data	Exported Salesforce data included business contact details (names, email addresses, job titles, phone numbers), support case content, and account metadata. This data feeds downstream attacks: spear phishing, credential stuffing, and social engineering against the employees of compromised organizations.
T1087.004	Account Discovery — Cloud Account	Reconnaissance SOQL queries measured the scale of User and Account objects before bulk export. The actor specifically hunted for AWS access keys (identifiable by the AKIA prefix) and other cloud platform secrets embedded in Salesforce case text — a credential-first objective consistent with the group's assessed downstream goals.

Known Campaigns

UNC6395 is a recently designated cluster with one confirmed major operation and one attributed follow-on campaign.

Salesloft Drift OAuth Supply Chain Breach March – August 2025

The defining operation attributed to UNC6395. Initial access to Salesloft's GitHub account was established as early as March 2025. Following months of reconnaissance, the actor accessed Drift's AWS environment and extracted OAuth tokens for customer integrations. Between August 8 and 18, 2025, the actor systematically queried Salesforce environments for more than 700 organizations, exfiltrating contact data, support case content, and — critically — plaintext credentials embedded in Salesforce records. Confirmed public victims include Cloudflare, Palo Alto Networks, Zscaler, Proofpoint, CyberArk, Elastic, BeyondTrust, Rubrik, SpyCloud, Tenable, Qualys, PagerDuty, Workday, Toast, Fastly, Avalara, Agility PR, and dozens of others across technology, financial services, and cloud infrastructure sectors. Google GTIG and Mandiant led the incident response; Cloudflare's Cloudforce One attributed the same campaign to GRUB1. All Drift OAuth tokens were revoked on August 20, 2025; Drift was removed from the Salesforce AppExchange pending investigation.

Gainsight Supply Chain Follow-On November 2025

In November 2025, investigators identified a compromise of Gainsight — a customer success platform also integrated with Salesforce — attributed to the same broader campaign as the Salesloft Drift breach. The actor is assessed to have reused knowledge and credentials obtained in the earlier wave to compromise Gainsight apps connected to Salesforce. More than 200 additional Salesforce customer organizations had data accessed via Gainsight integrations. Gainsight confirmed that the exposed data was primarily business contact information and support case details. The Gainsight incident confirms that UNC6395's technique — targeting SaaS vendors with Salesforce integrations to access downstream organizations — extends beyond the Drift integration.

Indicators of Compromise

Network and behavioral indicators from the Salesloft Drift campaign, as documented by Google GTIG, Mandiant, and Cloudflare Cloudforce One.

warning

The active exfiltration window closed August 20, 2025, following Drift token revocation. Network-level IOCs from this campaign are no longer operationally useful for blocking. Behavioral IOCs — anomalous SOQL query patterns, bulk API usage, and query job deletion — remain relevant for detecting future campaigns using similar techniques. For full IOC detail including specific User-Agent strings and IP ranges, refer to the Google GTIG advisory directly.

indicators of compromise — Salesloft Drift campaign

network Salesforce API access originating from Tor exit nodes — unexpected for any legitimate integrated application; high-volume GET requests from Tor exit nodes targeting Salesforce endpoints were an early indicator surfaced by Mitiga Labs

network VPS provider IP ranges (Hetzner, DigitalOcean) observed in Salesforce API traffic attributed to Drift application credentials; legitimate Drift usage would route through Salesloft/Drift infrastructure, not commercial hosting ranges

behavior SOQL COUNT(*) reconnaissance queries on Users, Accounts, Cases, and Opportunities objects preceding bulk export jobs — legitimate Drift activity does not include record count reconnaissance

behavior Salesforce Bulk API 2.0 job creation for mass export of Cases and Contacts; followed immediately by deletion of the bulk query job record — job deletion is an operational security behavior inconsistent with legitimate Drift usage

behavior SOQL queries containing credential-hunting patterns — searches for AKIA (AWS access key prefix), password, token, secret, or key within Case body text or attachment content fields

github Unexpected guest user addition to GitHub organization; unauthorized repository ZIP download events (detectable via GitHub audit log repo.download_zip events); new workflow creation by an unrecognized user identity

Mitigation & Defense

The Salesloft Drift breach exposed a class of risk that few organizations had modeled: a trusted third-party SaaS application holding persistent OAuth tokens to enterprise environments. Defensive guidance focuses on OAuth governance, SaaS integration visibility, and behavioral detection.

Audit and inventory all connected OAuth applications: Identify every third-party application with OAuth access to Salesforce, Google Workspace, Slack, and other enterprise platforms. Treat each integration as a potential attack surface. Pay particular attention to chatbot, marketing automation, and sales engagement tools with broad CRM read permissions.
Enforce least-privilege OAuth scopes: Applications should request only the minimum permissions required for their stated function. A chatbot integration does not need full Account and Case read access. Review and downscope existing app permissions. Reject new integration requests that request broader access than the use case justifies.
Shorten OAuth token lifetimes and enforce re-consent on scope changes: Persistent, non-expiring OAuth tokens are a core enabler of this class of attack. Configure Salesforce and connected platforms to require periodic token re-authorization and to invalidate tokens when integration scopes change.
Do not store credentials in Salesforce case fields: AWS access keys, VPN credentials, passwords, and API tokens stored as plaintext in support cases are directly harvested in SOQL-based exfiltration campaigns. Establish and enforce a policy prohibiting credential storage in CRM record fields. Use secrets management solutions for any operational credentials that must be shared with support teams.
Monitor Salesforce API activity for anomalous patterns: Baseline normal application API usage — call volumes, query types, timing patterns — for each connected app. Alert on Bulk API 2.0 jobs from OAuth-authenticated app identities, SOQL queries that scan for credential-related strings, COUNT() reconnaissance patterns preceding export operations, and bulk query job creation followed by immediate deletion.
Monitor GitHub for unauthorized access and repository downloads: Use GitHub audit logs to detect unexpected guest user additions, repository archive downloads (repo.download_zip events), and workflow creation by unrecognized identities. Apply behavioral anomaly detection to distinguish automated CI/CD activity from adversary reconnaissance.
Restrict IP ranges for connected app API access: Salesforce supports IP allowlisting for connected apps. Legitimate integrations should operate from known, consistent infrastructure ranges. Traffic from Tor exit nodes or unexpected VPS provider ranges attributed to a connected app identity should be treated as a high-confidence indicator of compromise.
Include SaaS integrations in vendor risk assessments and threat models: UNC6395 demonstrated that a vendor compromise can cascade to hundreds of downstream organizations through OAuth-connected integrations. Third-party SaaS vendors with persistent API access to enterprise platforms require the same security scrutiny as on-premise software with network access.

note

The Salesloft Drift campaign illustrates how SaaS supply chain attacks follow the same structural pattern as earlier software supply chain attacks (SolarWinds, MOVEit) but use OAuth tokens instead of malicious code updates as the propagation mechanism. A single vendor compromise provided authenticated access to hundreds of customer environments — and the victims had no direct way to detect the intrusion because the traffic appeared to originate from a legitimate, pre-authorized application.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile