Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage.

The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions. Meanwhile, UNC3524 sets itself apart from other attackers with its ability to remain undetected for extended periods of time.

Highly advanced persistent threat

The research into UNC3524, conducted by Mandiant, reveals that the threat group targets trusted systems within victim environments that do not support security toolings, such as antivirus or endpoint protection. As a result, UNC3524 has been able to remain hidden in victim environments for up to 18 months.

These attacks show highly developed operational security, a low malware footprint, proficient evasive skills and a large IoT botnet. These are very advanced characteristics for a threat group. Furthermore, even when victims detect and remove UNC3524 access, the group can re-infect the environment.

Corporate email targets

The primary targets of UNC3524 include victims involved in corporate development, M&A and large corporate transactions. The group focuses on stealing victims’ bulk email data to support espionage campaigns. Emails and email attachments offer a rich source of information about any company, after all. The attackers target, access and search email content across the business.

Stealth attack

According to researchers, after gaining initial access by unknown means, UNC3524 deploys a novel backdoor based on the open-source Dropbear SSH client-server software. These backdoors can be installed on SAN arrays, load balancers and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools.

After establishing a foothold in the network, the group relies on built-in Windows protocols. This technique leaves a very low malware footprint. From there, UNC3524 can establish an SSH encrypted SOCKS tunnel into the victims’ environments. A SOCKS tunnel is the equivalent of plugging in a threat actor’s machine with an ethernet jack to the victim’s network. The actor can then steal data, leaving no trace of the tooling itself.

In each of the UNC3524 victim environments, the threat actor targets a subset of mailboxes. These primarily include executive teams and employees that work in corporate development, M&A or IT security staff. It’s possible that the threat actor spies on IT security team emails to determine if the infection had been detected, as well.

Remediation and hardening strategies

Mandiant offers a variety of remediation and hardening strategies to defend against UNC3524. Some of the suggestions include password rotation, limiting privileged users and enforcing multifactor authentication. To put these methods in place, some organizations opt for a zero trust approach that integrates with secure access service edge (SASE) services.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.