Google Warns Extortion Crews Are Sending People Into Target Buildings
Google is telling organizations to block external USB storage because a financially motivated extortion crew has been walking into offices and trying to steal data directly from endpoints.
The group is tracked by Google as UNC3753 and is also known as Luna Moth, Chatty Spider, and Silent Ransom Group. Its usual method is social engineering: call the target, pose as IT support, get remote access, pull sensitive files, and then pressure the company with a data-leak threat.
When the remote approach fails, someone shows up in person and claims they need to image a machine or make a local backup because of a security issue.
That turns a helpdesk impersonation scheme into a front-desk problem, a visitor-management problem, and a hardware-control problem.
The Case
Security.NL reported that Google is advising organizations to disable USB read and write capability to reduce the risk of physical data theft. The recommendation follows reporting from Google’s Mandiant team on UNC3753 activity against professional, legal, and financial services organizations in the United States.
Mandiant said it observed a targeted data-theft extortion campaign from January through May 2026.
The campaign hit dozens of organizations, including law firms and other professional services targets. The actor’s goal was not to encrypt systems. It was to get access, locate sensitive documents, remove them, and use the exposure risk to force payment.
The FBI issued a separate FLASH alert on May 26, 2026, warning that Silent Ransom Group has been impersonating IT personnel through phone calls, phishing emails, and in-person visits.
The FBI said the group has targeted U.S.-based law firms consistently since spring 2023, while also victimizing companies in sectors including insurance, finance, and healthcare.
The Attack
The remote attack starts with a pretext. In some cases, the actor sends an invoice-themed or IT-themed email that does not need malware, a link, or an attachment. The email exists to make the follow-up call feel plausible. Once the target is on the phone, the actor presents as internal IT support or security staff and guides the employee into a screen-sharing or remote support session.
Mandiant reported the group using tools and services such as Zoom, Microsoft Teams, Quick Assist, AnyDesk, Bomgar, Zoho Assist, WinSCP, and Rclone. The target may see a normal support session, a familiar collaboration tool, or a legitimate remote administration utility.
Once inside, the operator looks for data quickly. Mandiant described searches across local directories, OneDrive folders, mapped network drives, VDI sessions, and document management systems. In some incidents, data searches and theft began in under an hour. Staged files were then uploaded to cloud storage, moved with WinSCP or Rclone, or sent through victim-accessible services.
The physical version follows the same logic with a different access path. If remote social engineering fails, the actor sends a person to the office. That person claims to be IT support and says the endpoint needs an image or backup because of a security issue. Once they get hands on the machine, they attempt to copy data to a USB drive or external hard drive.
The Actors
UNC3753 is a financially motivated threat cluster. Google tracks it under that name, while the FBI refers to the same activity as Silent Ransom Group. Other aliases include Luna Moth and Chatty Spider. Google says the cluster has been active since at least March 2022 and has shifted over time from subscription-themed callback phishing into internal IT-helpdesk impersonation.
The group is not operating like a traditional ransomware crew in these cases. The FBI said SRG typically avoids encryption and instead focuses on rapid access, immediate exfiltration, and extortion through threats to publish or sell stolen data.
That choice matters operationally. Encryption creates noise. Data theft through a trusted user, a remote support session, or a USB drive can look like normal business activity until the extortion email arrives.
Conclusion
When you speak to clients and they say a derivative of,
“We already know you can get inside our building, why would we pay you to prove it?”
Realize that your client is saying that ANYONE could get inside their building, and that begins and ends their entire physical and by extension cyber security. If you have no physical security, than you have no cyber security.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Strategic Operations for Lone Operators - Advanced course for those who are interested in learning how to become a one man infiltration team.
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .
"If you have no physical security, than you have no cyber security."
I used to say this all the time. If any stranger off the street can walk into your server room, any other policies and procedures are rendered useless. IT security is downstream of physical security.
There is no bigger theft then 80 billion dollars,
for biden and the liberals to bomb pipelines and attack Russians.
There is nothing we can do to stop it.
The american/western currency is fake.