A previously unknown cyber-espionage group uses clever techniques to penetrate corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and it managed to remain undetected by victims for more than 18 months.
As described by cybersecurity researchers at Mandiant under the name UNC3524, the hacking operation has been active since at least December 2019 and uses a variety of advanced methods to infiltrate compromised networks and stay there permanently, which sets them apart from most other hacking groups. These methods include the ability to reinfect environments immediately after access has been removed. It is currently unknown how initial access will be achieved.
One of the reasons UNC3524 is so successful at maintaining persistence in networks over such a long period of time is that it installs backdoors in applications and services that don’t support security tools like antivirus or endpoint protection.
SEE: A winning cybersecurity strategy (ZDNet special report)
The attacks also exploit vulnerabilities in Internet of Things (IoT) products, including conference room cameras, to provide a backdoor on devices, locking them into a botnet that can be used for lateral movement across networks and providing access to servers.
From here, the attackers can gain a foothold on Windows networks, deploying malware that leaves almost no trace while exploiting built-in Windows protocols, which helps the group gain access to privileged credentials for the victim’s Microsoft Office 365 e- Mail environment and Microsoft Exchange Server.
This combination of unmonitored IoT devices, stealth malware, and exploitation of legitimate Windows protocols that can pass as normal traffic means that UNC3524 is difficult to detect — and that’s also why the attackers’ backers have been around for such a long time could go unnoticed in victim networks.
“By attacking trusted systems in victim environments that do not support any security tools, UNC3524 was able to remain undetected in victim environments for at least 18 months,” Mandiant researchers write.
And if their access to Windows was somehow removed, the attackers would come back in almost immediately to continue the spying and data-stealing campaign.
UNC3524 has a heavy focus on emails from employees working on corporate development, mergers and acquisitions, and large corporate transactions. While this may appear to indicate a financial motivation for attacks, the fact that they have been on networks for months or even years leads researchers to believe that the real motivation behind the attacks is espionage.
Mandiant researchers say that some of the techniques used by UNC3524 once on networks overlap with Russian-based cyberespionage groups, including APT28 (Fancy Bear) and APT29 (Cosy Bear).
However, they also note that they currently “cannot conclusively link UNC3524 to any existing group” but emphasize that UNC3524 is an advanced espionage campaign that exhibits a rarely seen high level of sophistication.
“During their operations, the threat actor has demonstrated a sophisticated level of operational security that we only see demonstrated by a small number of threat actors,” they said.
One of the reasons why UNC3524 is so powerful is that it has the ability to secretly remain undetected by exploiting less monitored tools and software. Researchers suggest that the best way to detect remains is through network-based logging.
Additionally, since the attacks aim to exploit unsecured and unmonitored IoT devices and systems, it is suggested that “Organizations should take steps to inventory their devices that are on the network and do not support monitoring tools.”