Who is the threat actor TeamPCP?

TeamPCP is an alias used on hacking forums by a financially motivated threat actor. Cybersecurity researchers at Mandiant track this group as UNC3944 and have noted a high degree of overlap in tactics, techniques, and victims with the notorious Lapsus$ extortion group.

What makes the TeamPCP and Lapsus$ attacks so effective?

Their effectiveness comes from their mastery of social engineering. Instead of relying solely on software exploits, they target people. By impersonating employees or IT staff, they trick their way into gaining access, bypassing security controls by exploiting human trust and weaknesses in identity verification processes.

Why are so many different hacker groups claiming involvement in the same breaches?

This reflects the specialization within the cybercrime ecosystem. One group (an initial access broker) may gain entry and sell that access to another group that deploys ransomware or steals data. It can also be opportunistic, with multiple groups claiming credit for a high-profile attack to boost their reputation. This intentional confusion makes attribution and response much harder for victims.

How can I defend against SIM swapping attacks?

The best defense is to move away from SMS-based multi-factor authentication (MFA). Instead, use phishing-resistant methods like FIDO2 hardware security keys or authenticator apps that use number matching or biometrics. You can also contact your mobile carrier to add a PIN or password to your account for extra protection against unauthorized port-out requests.

Is my organization at risk even if we are not in the technology or gaming sectors?

Yes. While these groups have targeted high-profile tech and gaming companies, their methods are sector-agnostic. Any organization with an IT help desk, remote employees, and cloud-based identity systems is a potential target. The core TTPs exploit common business processes, not industry-specific software.

Blast radius of TeamPCP attacks expands amid hacker infighting

A murky threat emerges from the shadows

A complicated series of supply chain attacks and high-profile data breaches has left security teams scrambling to understand a threat that is as much about misdirection as it is about technical intrusion. At the center of this storm is a threat actor known on hacking forums as "TeamPCP," a group that security firm Mandiant tracks under the designation UNC3944. This group’s methods bear a striking resemblance to the notorious Lapsus$ extortion gang, which gained infamy in 2022 for its attacks on NVIDIA, Microsoft, and Okta.

The situation has become increasingly convoluted as other prominent cybercrime syndicates, including the data broker ShinyHunters and the ALPHV/BlackCat ransomware group, have claimed involvement in or taken credit for related attacks. This public squabbling and overlapping claims, particularly in the recent breaches of MGM Resorts and Caesars Entertainment, have created a fog of war for enterprise defenders trying to attribute attacks and anticipate the adversary’s next move.

Technical details: The human is the vulnerability

Unlike attacks that rely on exploiting a specific software flaw, the campaigns associated with UNC3944/TeamPCP weaponize human trust and procedural gaps. Their primary vector is sophisticated social engineering, a method that bypasses many technical security controls by targeting the people who operate them.

The group’s playbook, detailed in Mandiant’s research, involves several key tactics:

Targeted Vishing: Attackers engage in voice phishing (vishing), often impersonating an employee or, more effectively, an IT help desk technician. In a well-documented technique, they call a company's IT support line to convince staff to reset passwords or enroll a new multi-factor authentication (MFA) device under their control.
SIM Swapping: A core component of their strategy is SIM swapping. By tricking a mobile carrier, attackers port a target’s phone number to a SIM card they possess. This allows them to intercept one-time passcodes sent via SMS, effectively neutralizing a common form of MFA.
MFA Fatigue: In some cases, the attackers simply overwhelm a target with push notifications from an authenticator app, hoping the user will approve a request out of annoyance or confusion, granting the attackers access.
Legitimate Tool Abuse: Once inside a network, UNC3944 often uses legitimate remote administration tools like AnyDesk or TeamViewer. This tactic helps them blend in with normal network traffic, making their activity difficult to detect with traditional signature-based security products. They gain control over systems, exfiltrate data, and establish persistence without deploying custom malware that might trigger alarms.

The focus on identity and access management (IAM) systems is a hallmark of this group. After gaining an initial foothold, they immediately move to compromise platforms like Okta or Azure Active Directory to escalate their privileges, create new accounts, and secure their long-term presence in the victim’s environment.

Impact assessment: A widening circle of victims

The consequences of these attacks are severe and far-reaching. The high-profile breaches at MGM Resorts and Caesars Entertainment in September 2023 serve as powerful examples. Caesars reportedly paid a multi-million dollar ransom to the attackers (claimed by Lapsus$) to prevent the release of a massive customer database. MGM, which refused to pay a ransom demanded by the ALPHV/BlackCat ransomware gang, suffered prolonged and public operational disruption that impacted everything from hotel key cards and ATMs to slot machines, costing the company an estimated $100 million.

The confusion surrounding attribution makes response even more difficult. In the MGM incident, ALPHV/BlackCat claimed responsibility for the ransomware deployment, but the initial access TTPs mirrored those of UNC3944. Later, the data broker ShinyHunters appeared on forums attempting to sell data allegedly stolen from MGM. This multi-actor involvement suggests a fractured and opportunistic cybercrime ecosystem where initial access brokers, ransomware affiliates, and data sellers collaborate or compete, complicating an organization's ability to respond effectively.

The impact extends beyond the primary target. As a supply chain threat, UNC3944's compromise of a single managed service provider (MSP) or software vendor can grant them access to dozens or hundreds of downstream clients. Every customer of a breached organization is also a victim, their personal and financial data exposed to identity theft and targeted fraud for years to come.

How to protect yourself

Defending against an adversary that targets people and processes requires a shift in security strategy away from a purely technology-centric model. Organizations must build a resilient security culture and harden the systems that manage digital identity.

Fortify the Human Firewall: Generic annual security training is not enough. Conduct regular, realistic phishing and vishing simulations. Provide intensive, role-specific training for help desk, IT support, and administrative staff who are on the front lines of these social engineering attacks. They must be empowered and trained to verify unusual or high-risk requests through out-of-band communication channels.
Harden Identity and Access Management (IAM): The most critical step is to move away from easily interceptible MFA methods like SMS and push notifications. Mandate the use of phishing-resistant authenticators, such as FIDO2-compliant hardware security keys (e.g., YubiKey) or Windows Hello for Business. Implement strict controls around the MFA enrollment process and monitor for any unusual device additions or changes to user accounts.
Implement Zero Trust Principles: Operate under the assumption that an attacker is already inside your network. Enforce the principle of least privilege, ensuring users and systems only have access to the resources absolutely necessary for their function. Segment networks to prevent lateral movement and require re-authentication for access to sensitive applications and data.
Monitor for Behavioral Anomalies: Since these attackers use legitimate tools, focus detection efforts on behavior. Monitor for suspicious logins from unfamiliar locations, impossible travel scenarios, or repeated failed MFA attempts. Scrutinize the installation and use of remote access software, and ensure that remote connections from employees are secured through a trusted hide.me VPN to protect data in transit.
Strengthen Vendor Risk Management: Thoroughly vet the security posture of all third-party vendors, especially MSPs and those with privileged access to your environment. Inquire specifically about their IAM controls, social engineering defenses, and incident response plans.

The rise of UNC3944 and the chaos created by its peers underscore a fundamental truth of modern cybersecurity: An attacker will always follow the path of least resistance. As organizations strengthen their technical perimeters, that path increasingly leads through the front door, armed with a convincing phone call and a compromised identity.