Alphabet's (GOOG, GOOGL) Google unit said Wednesday that its threat intelligence group is tracking a hacking group, UNC6040, which specializes in voice phishing campaigns to break into companies' Salesforce (CRM) instances for large-scale data theft and extortion.

Google said this hacking group has successfully breached networks over the past several months impersonating IT support personnel.

The hackers have proven effective in tricking employees into actions that grant them access or lead to the sharing of sensitive credentials, ultimately facilitating the theft of organization's Salesforce data, Google said.

In some cases, the hackers were able to manipulate an employee into authorizing a malicious connected app to their organization's Salesforce portal, allowing them to steal Salesforce data.

Hackers have so far relied on manipulating end users and not exploiting any vulnerability in Salesforce tools, Google's threat intelligence group has observed.

In some incidents, the hackers did not demand extortion until several months after the initial intrusion, meaning they would have partnered with a second party that monetizes access to the stolen data.

"During these extortion attempts, the actor has claimed affiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on their victims," the report said.

Price: 168.60, Change: +0.89, Percent Change: +0.53