- A sophisticated espionage threat campaign targeted at least 10 organizations globally by gaining persistent access to corporate email accounts for information related to mergers and acquisitions, according to Mandiant research released this week.
- The suspected threat actor, UNC3524, targets the email accounts of executives involved in corporate development and large transactions.
- The threat remained undetected in victim environments for at least 18 months in some cases by hiding in blind spots of most organizations’ security controls. UNC3524 gained footholds in forgotten network appliances, IoT devices and other trusted systems that don’t support security tools, Tyler McLellan, principal threat analyst at Mandiant, wrote in an email.
The singular focus on email collection combined with an extended dwell time indicates UNC3524’s primary goal is to gain information on corporate strategy and decision making instead of a quick financial win, McLellan said.
Mandiant describes UNC3524 as a highly sophisticated threat actor that successfully evaded detection by appearing to access Microsoft Exchange email accounts from within its victim’s IP space. It used advanced tactics that allowed it to gain multiple footholds and consistently maintain access to sensitive corporate data.
“Besides the obvious data theft issue, long-term access allows the threat actor to learn the lay of the land inside the victim network to find configuration loopholes that could bypass two-factor authentication and collect previously used account passwords that may inform future re-compromise activity,” McLellan said.
The group also deployed a novel backdoor based on the open source Dropbear SSH client-server software, identified by Mandiant as QUIETEXIT, on storage area network arrays, load balancers and wireless access point controllers to sustain remote access to victim environments.
This malware tactic, which favored existing SSH tunnels, requires extensive planning and makes host-based hunting and detection extremely difficult. The best chance for discovery is in network-based logging.
“The most stealthy harmful method used is the least surprising, and perhaps not so sophisticated after all, which is their targeting of unsecured operational technologies,” Michela Menting, digital security research director at ABI Research, wrote in an email. “Ultimately, they are after the weakest link in an organization’s defenses.”
Enterprises can minimize these threats by monitoring network traffic for anomalous behavior, implementing a zero-trust approach to cybersecurity and following strict identity and access management controls, she said.
McLellan encourages organizations to use a central monitoring system for all security alerts, especially as more services move to clouds with disparate logging and security practices. “Proactive threat hunting and red teaming are part of overall security posture to find weaknesses and problems before they can be used by a threat actor,” he said.
The group’s methodologies emulate techniques used by multiple Russia-based espionage threat actors, according to Mandiant, and its longer-term strategy reinforces that speculation. “In large part, such threat actors are either state sponsored or state backed, insofar as they don’t need an immediate payout,” Menting said.
The group primarily targeted U.S. businesses, but overseas organizations were also compromised by UNC3524 and opportunistically used as infrastructure to hop through, McLellan said