July 6, 2022 By Jonathan Reed 2 min read

Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage.

The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions. Meanwhile, UNC3524 sets itself apart from other attackers with its ability to remain undetected for extended periods of time.

Highly advanced persistent threat

The research into UNC3524, conducted by Mandiant, reveals that the threat group targets trusted systems within victim environments that do not support security toolings, such as antivirus or endpoint protection. As a result, UNC3524 has been able to remain hidden in victim environments for up to 18 months.

These attacks show highly developed operational security, a low malware footprint, proficient evasive skills and a large IoT botnet. These are very advanced characteristics for a threat group. Furthermore, even when victims detect and remove UNC3524 access, the group can re-infect the environment.

Corporate email targets

The primary targets of UNC3524 include victims involved in corporate development, M&A and large corporate transactions. The group focuses on stealing victims’ bulk email data to support espionage campaigns. Emails and email attachments offer a rich source of information about any company, after all. The attackers target, access and search email content across the business.

Stealth attack

According to researchers, after gaining initial access by unknown means, UNC3524 deploys a novel backdoor based on the open-source Dropbear SSH client-server software. These backdoors can be installed on SAN arrays, load balancers and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools.

After establishing a foothold in the network, the group relies on built-in Windows protocols. This technique leaves a very low malware footprint. From there, UNC3524 can establish an SSH encrypted SOCKS tunnel into the victims’ environments. A SOCKS tunnel is the equivalent of plugging in a threat actor’s machine with an ethernet jack to the victim’s network. The actor can then steal data, leaving no trace of the tooling itself.

In each of the UNC3524 victim environments, the threat actor targets a subset of mailboxes. These primarily include executive teams and employees that work in corporate development, M&A or IT security staff. It’s possible that the threat actor spies on IT security team emails to determine if the infection had been detected, as well.

Remediation and hardening strategies

Mandiant offers a variety of remediation and hardening strategies to defend against UNC3524. Some of the suggestions include password rotation, limiting privileged users and enforcing multifactor authentication. To put these methods in place, some organizations opt for a zero trust approach that integrates with secure access service edge (SASE) services.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.

More from News

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

State Department releases International Cyberspace and Digital Policy Strategy

3 min read - U.S. Secretary of State Antony Blinken announced the new U.S. International Cyberspace and Digital Policy Strategy during the recent RSA Conference in San Francisco. The strategy emphasizes the role of technology in diplomacy and the urgent need to build international coalitions. “Security, stability, prosperity — they are no longer solely analog matters,” Blinken said at the conference. The new strategy focuses on “digital solidarity” not “digital sovereignty,” Blinken said, emphasizing the importance of collaboration with like-minded nations. Also mentioned was…

DHS establishes Artificial Intelligence Safety and Security Board

3 min read - As part of its commitment to addressing the rapid growth and adoption of AI technology across all industries and sectors, the Department of Homeland Security (DHS) announced the establishment of the Artificial Intelligence Safety and Security Board in late April. The Board’s first meeting is planned for early May when they will begin the task of focusing on how to develop and deploy AI technology within the United States’ critical infrastructure safely and securely. Based on the DHS Homeland Threat…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today