Uncategorized (UNC) threat groups

Overview

UNC2452

UNC2452 is a sophisticated group that has targeted government and private sector entities worldwide. They have employed many unique capabilities, including gaining initial access through a software supply chain vulnerability.

After gaining access to a victim network, UNC2452 has a light malware footprint, often using legitimate credentials to access data and move laterally. The US government attributed the SolarWinds supply chain compromise which we track as UNC2452 to the Russian Foreign Intelligence Service (SVR). Mandiant Threat Intelligence assesses that UNC2452 activity aligns with nation-state priorities broadly and that the group’s targeting patterns are consistent with Russian strategic interests.

First seen: December 2020
Source region: Russia
Targeted regions: 12
Motivation: espionage
Associated malware: BEACON, RAINDROP, SUNSHUTTLE, TEARDROP
Other actors merged into this group: 6

Navigating the UNC2452 intrusion campaign

UNC1878

UNC1878 is a financially motivated group that monetizes their intrusions by extorting their victims following the deployment of RYUK ransomware. As of September 2020, Mandiant has increasingly observed KEGTAP campaigns as the initial infection vector for UNC1878 operations; previously, UNC1878 used TrickBot for initial access. UNC1878 has used various offensive security tools, most commonly Cobalt Strike BEACON, along with legitimate tools and built-in commands such as PSEXEC, WMI, and BITSadmin.

First seen: September 2020
Source region: Russia
Targeted regions: 16
Motivation: financial gain
Associated malware: ANCHOR, BEACON, BLUESPINE, CONTI + 23 MORE
Other actors merged into this group: 11
Relevant reports in Mandiant Advantage: 22

Additional resources

UNC1945

UNC1945 is a group that has been observed targeting a number of organizations in the telecommunications, financial, and business services industries since at least early 2018. The goal of UNC1945 is currently unknown because Mandiant has not been able to observe the activities that followed UNC1945 compromises. Based on available information Mandiant has not been able to assess a general location that the group operates from.

First seen: August 2020
Source region: unknown
Targeted regions: unknown
Motivation: unknown
Associated malware: EVILSUN, LEMONSTICK, LOGBLEACH, OPENSHACKLE, SLAPSTICK
Other actors merged into this group: 1
Relevant reports in Mandiant Advantage: 3

Additional resources

UNC2529

UNC2529 is a well resourced and experienced group that has targeted multiple organizations across numerous industries in a global phishing campaign. They have used phishing emails containing inline links to malicious URLs hosting DOUBLEDRAG malware, a highly obfuscated Javascript downloader. UNC2529 has also used weaponized Microsoft Excel documents as a first stage downloader. DOUBLEDRAG attempts to download a second-stage obfuscated PowerShell memory-only dropper, which Mandiant tracks as DOUBLEDROP, that will launch a backdoor into memory. This third-stage backdoor is tracked as DOUBLEBACK. UNC2529 displayed indications of target research based on their selection of sender email addresses and subject lines which were tailored to their intended victims. Although Mandiant has no data on the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups.

First seen: December 2020
Source region: unknown
Targeted regions: 12
Motivation: unknown
Associated malware: DOUBLEBACK, DOUBLEDRAG, DOUBLEDROP
Other actors merged into this group: 0
Relevant reports in Mandiant Advantage: 1