Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage.

The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions. Meanwhile, UNC3524 sets itself apart from other attackers with its ability to remain undetected for extended periods of time.

Highly Advanced Persistent Threat

The research into UNC3524, conducted by Mandiant, reveals that the threat group targets trusted systems within victim environments that do not support security toolings, such as antivirus or endpoint protection. As a result, UNC3524 has been able to remain hidden in victim environments for up to 18 months.

These attacks show highly developed operational security, a low malware footprint, proficient evasive skills and a large IoT botnet. These are very advanced characteristics for a threat group. Furthermore, even when victims detect and remove UNC3524 access, the group can re-infect the environment.

Corporate Email Targets

The primary targets of UNC3524 include victims involved in corporate development, M&A and large corporate transactions. The group focuses on stealing victims’ bulk email data to support espionage campaigns. Emails and email attachments offer a rich source of information about any company, after all. The attackers target, access and search email content across the business.

Stealth Attack

According to researchers, after gaining initial access by unknown means, UNC3524 deploys a novel backdoor based on the open-source Dropbear SSH client-server software. These backdoors can be installed on SAN arrays, load balancers and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools.

After establishing a foothold in the network, the group relies on built-in Windows protocols. This technique leaves a very low malware footprint. From there, UNC3524 can establish an SSH encrypted SOCKS tunnel into the victims’ environments. A SOCKS tunnel is the equivalent of plugging in a threat actor’s machine with an ethernet jack to the victim’s network. The actor can then steal data, leaving no trace of the tooling itself.

In each of the UNC3524 victim environments, the threat actor targets a subset of mailboxes. These primarily include executive teams and employees that work in corporate development, M&A or IT security staff. It’s possible that the threat actor spies on IT security team emails to determine if the infection had been detected, as well.

Remediation and Hardening Strategies

Mandiant offers a variety of remediation and hardening strategies to defend against UNC3524. Some of the suggestions include password rotation, limiting privileged users and enforcing multifactor authentication. To put these methods in place, some organizations opt for a zero trust approach that integrates with secure access service edge (SASE) services.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.

More from News

Hackers are Increasingly Targeting Auto Dealers

Auto dealerships are increasingly concerned with cybersecurity in the face of new regulations and an alarming rise in cyberattacks. The Second Annual Global State of Cybersecurity Report by CDK Global found that 85% of dealerships say cybersecurity is very or extremely important relative to other operational areas. Additionally, 89% say cybersecurity is more important than last year, a 12% increase. Not surprisingly, only 37% of auto retailers are confident in the current protection, which is a 21% decrease from 2021.…

LastPass Breaches Cast Doubt on Password Manager Safety

In 2022, LastPass suffered a string of security breaches which sparked concern among cyber professionals and those impacted by the intrusions. Some called into question the way LastPass handled and responded to the incident. In addition, the situation ignited a wider conversation about the risks linked to utilizing password managers. A password manager helps users generate strong passwords and safeguards them within a digital locker. A master password secures all data, which enables users to conveniently access all their passwords…

Good Guys Decrypt Ransomware Targeting Charitable Groups

Imagine you’re an IT manager amid a ransomware attack. While your team scrambles for solutions, the intruders demand a ransom. Of course, you don’t want to pay; you just want your files back. But as time ticks by and the extortionists turn up the heat, your bosses are about to give in and pay the ransom. But then, the FBI calls. “Don’t pay,” the agent says. “We’ve found someone who can crack the encryption.” Sound too good to be true?…

Threat Groups Offer $240k Salary to Tech Jobseekers

Dark web forums are home to various individuals interested in conducting illicit or questionable activities. These forums offer opportunities such as the transaction of stolen data, Malware-as-a-Service, hacking services and invitations to collaborate in hacktivism. Cyber crime team members are recruited directly from the source: the dark web. What does this activity look like? Kaspersky recently conducted an analysis of 155 dark web forums from January 2020 to June 2022. They examined job postings and resumes that contained information about…