Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage.

The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions. Meanwhile, UNC3524 sets itself apart from other attackers with its ability to remain undetected for extended periods of time.

Highly advanced persistent threat

The research into UNC3524, conducted by Mandiant, reveals that the threat group targets trusted systems within victim environments that do not support security toolings, such as antivirus or endpoint protection. As a result, UNC3524 has been able to remain hidden in victim environments for up to 18 months.

These attacks show highly developed operational security, a low malware footprint, proficient evasive skills and a large IoT botnet. These are very advanced characteristics for a threat group. Furthermore, even when victims detect and remove UNC3524 access, the group can re-infect the environment.

Corporate email targets

The primary targets of UNC3524 include victims involved in corporate development, M&A and large corporate transactions. The group focuses on stealing victims’ bulk email data to support espionage campaigns. Emails and email attachments offer a rich source of information about any company, after all. The attackers target, access and search email content across the business.

Stealth attack

According to researchers, after gaining initial access by unknown means, UNC3524 deploys a novel backdoor based on the open-source Dropbear SSH client-server software. These backdoors can be installed on SAN arrays, load balancers and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools.

After establishing a foothold in the network, the group relies on built-in Windows protocols. This technique leaves a very low malware footprint. From there, UNC3524 can establish an SSH encrypted SOCKS tunnel into the victims’ environments. A SOCKS tunnel is the equivalent of plugging in a threat actor’s machine with an ethernet jack to the victim’s network. The actor can then steal data, leaving no trace of the tooling itself.

In each of the UNC3524 victim environments, the threat actor targets a subset of mailboxes. These primarily include executive teams and employees that work in corporate development, M&A or IT security staff. It’s possible that the threat actor spies on IT security team emails to determine if the infection had been detected, as well.

Remediation and hardening strategies

Mandiant offers a variety of remediation and hardening strategies to defend against UNC3524. Some of the suggestions include password rotation, limiting privileged users and enforcing multifactor authentication. To put these methods in place, some organizations opt for a zero trust approach that integrates with secure access service edge (SASE) services.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…