UNC6395: From GitHub to Salesforce, Inside the Supply‑Chain Breach
- GK
- Sep 11
- 4 min read
A compromise of Salesloft’s GitHub kicked off a supply‑chain campaign that used stolen OAuth tokens from Drift to export data at scale from Salesforce.
The operation ran quietly between 8–18 Aug 2025, targeted hundreds of organisations, and focused on harvesting credentials buried in support data.
"We are recommending that all Drift customers who manage their own Drift connections to third-party applications via API key, proactively revoke the existing key and reconnect using a new API key for these applications," it said. "This only relates to API key-based Drift integrations. OAuth applications are being handled directly by Salesloft."
Attack Chain
Mar–Jun 2025 — Investigators say attackers accessed Salesloft’s GitHub for months, downloaded repos, added a guest user, and stood up rogue workflows as persistence.
Aug 8–18, 2025 — Using access obtained earlier, actors reached Drift’s AWS environment, stole OAuth tokens, then exported large volumes of data from customers’ Salesforce orgs. Google Threat Intelligence (GTIG) says the primary goal was credential harvesting from support data.
Late Aug → early Sep 2025 — Salesforce disabled Salesloft integrations during incident response; Drift remained disabled pending further review. Later updates restored some integrations with caveats.
Investigators estimate that the breach affected more than 700 organizations worldwide. These victims span multiple sectors, including cloud computing, cybersecurity, SaaS providers, and enterprise technology. The scope makes this one of the largest SaaS supply-chain breaches in recent years.
Tactics, Techniques, and Procedures (TTPs)
Initial Access
T1199 – Trusted Relationship
UNC6395 abused trusted supply-chain relationships (e.g., Salesloft → Drift → downstream customers). By compromising a partner with privileged integrations, they inherited trusted access to customer environments.
T1078 – Valid Accounts
The group used legitimate GitHub and SaaS credentials (possibly stolen or abused OAuth tokens) to log in. This bypassed security controls since the accounts were already authorized.
Execution
T1569 – System Services
Attackers executed code or automated workflows by leveraging legitimate system services (e.g., GitHub Actions, SaaS APIs). Instead of dropping malware, they abused built-in capabilities to carry out their objectives.
Credential Access
T1552 – Unsecured Credentials
UNC6395 searched repositories, cases, and SaaS storage for secrets such as AWS keys, OAuth tokens, and Snowflake credentials. Exposed plaintext credentials accelerated lateral movement.
Discovery
T1526 – Cloud Service Discovery
The group enumerated SaaS/cloud services to understand available integrations (e.g., Salesforce objects, Google Workspace). This allowed them to map an organization’s cloud footprint.
Collection
T1213 – Data from Information Repositories
They queried Salesforce (SOQL) and GitHub repositories to pull sensitive business records, support cases, and source code. These structured repositories were high-value intelligence sources.
T1530 – Data from Cloud Storage Object
Attackers accessed and downloaded data stored in cloud buckets or SaaS-hosted storage (e.g., S3 buckets, Salesforce file attachments). These objects often contained sensitive files and exports.
Exfiltration
T1567 – Exfiltration Over Web Service
Rather than using custom malware C2, UNC6395 exfiltrated stolen data over legitimate web services (Salesforce APIs, Gmail API, or cloud storage APIs). This blended with normal traffic and reduced detection likelihood.
Indicators of Compromise (IOC's)
AlientVault Live updates: https://otx.alienvault.com/pulse/68bead11991e59fe0c60cd8a
Traditional “bad IP/domain” lists won’t carry you far here — this campaign abused valid tokens and “lived off the SaaS land.”
Indicator type | What to look for | Where to look | Why it matters |
GitHub persistence | Unknown guest users, unexpected Actions/workflows added Mar–Jun 2025, odd login geos | GitHub audit logs; Actions history | Mirrors Salesloft’s initial compromise steps. |
Drift token abuse | OAuth clients tied to Drift with spikes in API calls, atypical times/regions | Drift logs/AWS logs (if available); SIEM tied to Drift client IDs | Stolen tokens were the fulcrum. GTIG |
Salesforce exfil | Bursts in Bulk API, ReportExport events; mass File/Attachment downloads by integration users | Salesforce Event Monitoring (API, Bulk, ReportExport); LoginHistory | The exports were “legitimate” calls at scale. |
Secrets in cases | AKIA patterns, Snowflake tokens, API keys within Case bodies/attachments | Salesforce Cases/Files; DLP scans | Actors mined support data for pivot creds. |
Google Workspace via Drift Email | Drift Email OAuth tokens; Google‑initiated revocations; limited account access | Google Admin/OAuth token inventory; email access logs | GTIG confirmed broader scope beyond Salesforce. |
OpSec clues | Deleted Salesforce query jobs post‑export | Salesforce Job histories; SIEM | Indicates stealthy clean‑up; don’t assume “no logs.” |
Mitigation & Recommendations
Drift admins to re-authenticate their Salesforce connection.
In order to re-authenticate Salesforce in Drift:
Go to Settings > Integrations > Salesforce;
Click Disconnect;
Click Connect Account;
Log in with your Salesforce credentials and authorize the connection.
Identity & Access Management
Multi-Factor Authentication (MFA): Enforce MFA across GitHub, Salesforce, Google Workspace, AWS, and all privileged accounts.
Single Sign-On (SSO): Integrate SaaS apps into a central IdP with conditional access policies.
Least Privilege: Apply least privilege to service accounts, GitHub tokens, and Salesforce profiles.
Just-In-Time Access: Rotate secrets frequently and remove standing privileges.
OAuth & Third-Party Integration Security
Review Connected Apps: Audit all OAuth-connected apps in Salesforce, Google Workspace, Slack, etc.
Scope Restrictions: Limit OAuth permissions to only what is strictly required.
Token Hygiene: Revoke unused or stale tokens and enforce short lifetimes.
App Whitelisting: Restrict OAuth authorization to approved apps only.
Monitoring: Alert on new OAuth app authorizations and unusual token activity.
GitHub & Source Code Security
Access Control: Disable guest user access, enforce SSO, and restrict repo cloning by external users.
Code Protection: Use Dependabot, secret scanning, and signed commits.
Workflow Security: Lock down GitHub Actions permissions, and monitor for new or modified workflows.
Audit Logging: Enable and monitor GitHub audit logs for suspicious activity (e.g., repo downloads, guest user invites).
Summary
UNC6395 is a highly capable adversary that exploited trust in SaaS integrations and OAuth tokens to infiltrate hundreds of organizations. Their campaign underscores the need for OAuth governance, SaaS monitoring, and supply-chain risk management in modern cloud environments.
Credit to:
Comments