July 6, 2022 By Jonathan Reed 2 min read

Cybersecurity researchers recently identified a threat group with a possible Russian connection that targets corporate email environments. At first, the researchers thought the UNC3524 gang mostly sought money, as do many ransomware attacks. A deeper look at the group’s actions, however, suggests espionage.

The researchers suspect that UNC3524 has ties to Russia, but it is unclear whether the state directly sponsors the group. UNC3524’s activity does support Russian geopolitical interests related to corporate development, mergers and acquisitions (M&A) and large corporate transactions. Meanwhile, UNC3524 sets itself apart from other attackers with its ability to remain undetected for extended periods of time.

Highly advanced persistent threat

The research into UNC3524, conducted by Mandiant, reveals that the threat group targets trusted systems within victim environments that do not support security toolings, such as antivirus or endpoint protection. As a result, UNC3524 has been able to remain hidden in victim environments for up to 18 months.

These attacks show highly developed operational security, a low malware footprint, proficient evasive skills and a large IoT botnet. These are very advanced characteristics for a threat group. Furthermore, even when victims detect and remove UNC3524 access, the group can re-infect the environment.

Corporate email targets

The primary targets of UNC3524 include victims involved in corporate development, M&A and large corporate transactions. The group focuses on stealing victims’ bulk email data to support espionage campaigns. Emails and email attachments offer a rich source of information about any company, after all. The attackers target, access and search email content across the business.

Stealth attack

According to researchers, after gaining initial access by unknown means, UNC3524 deploys a novel backdoor based on the open-source Dropbear SSH client-server software. These backdoors can be installed on SAN arrays, load balancers and wireless access point controllers. These kinds of devices don’t support antivirus or endpoint detection and response tools.

After establishing a foothold in the network, the group relies on built-in Windows protocols. This technique leaves a very low malware footprint. From there, UNC3524 can establish an SSH encrypted SOCKS tunnel into the victims’ environments. A SOCKS tunnel is the equivalent of plugging in a threat actor’s machine with an ethernet jack to the victim’s network. The actor can then steal data, leaving no trace of the tooling itself.

In each of the UNC3524 victim environments, the threat actor targets a subset of mailboxes. These primarily include executive teams and employees that work in corporate development, M&A or IT security staff. It’s possible that the threat actor spies on IT security team emails to determine if the infection had been detected, as well.

Remediation and hardening strategies

Mandiant offers a variety of remediation and hardening strategies to defend against UNC3524. Some of the suggestions include password rotation, limiting privileged users and enforcing multifactor authentication. To put these methods in place, some organizations opt for a zero trust approach that integrates with secure access service edge (SASE) services.

If you have questions and want a deeper discussion about the malware and prevention techniques, you can schedule a briefing here. Get the latest updates as more information develops on the IBM Security X-Force Exchange and the IBM PSIRT blog.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More cybersecurity threat resources are available here.

More from News

Insights from CISA’s red team findings and the evolution of EDR

3 min read - A recent CISA red team assessment of a United States critical infrastructure organization revealed systemic vulnerabilities in modern cybersecurity. Among the most pressing issues was a heavy reliance on endpoint detection and response (EDR) solutions, paired with a lack of network-level protections. These findings underscore a familiar challenge: Why do organizations place so much trust in EDR alone, and what must change to address its shortcomings? EDR’s double-edged sword A cornerstone of cyber resilience strategy, EDR solutions are prized for…

DHS: Guidance for AI in critical infrastructure

4 min read - At the end of 2024, we've reached a moment in artificial intelligence (AI) development where government involvement can help shape the trajectory of this extremely pervasive technology. In the most recent example, the Department of Homeland Security (DHS) has released what it calls a "first-of-its-kind" framework designed to ensure the safe and secure deployment of AI across critical infrastructure sectors. The framework could be the catalyst for what could become a comprehensive set of regulatory measures, as it brings into…

Apple Intelligence raises stakes in privacy and security

3 min read - Apple’s latest innovation, Apple Intelligence, is redefining what’s possible in consumer technology. Integrated into iOS 18.1, iPadOS 18.1 and macOS Sequoia 15.1, this milestone puts advanced artificial intelligence (AI) tools directly in the hands of millions. Beyond being a breakthrough for personal convenience, it represents an enormous economic opportunity. But the bold step into accessible AI comes with critical questions about security, privacy and the risks of real-time decision-making in users’ most private digital spaces. AI in every pocket Having…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today