A new espionage actor is breaching corporate networks to steal emails from employees involved in big financial transactions like mergers and acquisitions.
Mandiant researchers, which first discovered the advanced persistent threat (APT) group in December 2019 and now tracks it as “UNC3524”, says that while the group’s corporate targets hint at financial motivation, its longer-than-average dwell time in a victim’s environment suggests an intelligence gathering mandate. In some cases, UNC3524 remained undetected in victims’ environments for as long as 18 months, versus an average dwell time of 21 days in 2021.
Mandiant credits the group’s success at achieving such a long dwell time to its unique approach to its use of a novel backdoor — tracked as “QuietExit” — on network appliances that do not support antivirus or endpoint detection, such as storage arrays, load balancers and wireless access point controllers.
The QuietExit backdoor’s command-and-control servers are part of a botnet built by compromising D-Link and LifeSize conference room camera systems, according to Mandiant, which said the compromised devices were likely breached due to the use of default credentials, rather than an exploit. TechCrunch contacted D-Link and LifeSize but did not hear back.
“The high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things device botnet set this group apart and emphasize the ‘advanced’ in advanced persistent threat,” Mandiant researchers wrote in their blog post Monday.
Additionally, if UNC3524’s access was removed from a victim’s environment, the threat actor “wasted no-time wasted no time re-compromising the environment with a variety of mechanisms, immediately restarting their data theft campaign,” Mandiant said. In some cases, UNC3524 installed a secondary backdoor as a means of alternate access.
After deploying backdoors, UNC3524 obtained privileged credentials to their victims’ mail environment and started targeting Exchange on-premise servers and Microsoft 365 cloud mailboxes. The threat actor focused their attention on executive teams and employees that work in corporate development, mergers and acquisitions or IT security staff, the latter likely as a means to determine if their operation had been detected.
While Mandiant researchers noted overlapping techniques between UNC3524 and known multiple Russian cyber-espionage groups, such as APT28 (or “Fancy Bear”) and APT29 (“Cozy Bear”), the researchers noted that they could not definitively connect the threat actor to any of those groups.
The U.S. cybersecurity firm, which was recently acquired by Google for $5.4 billion, added that UNC3524’s use of compromised devices that are often the most insecure and unmonitored in a victim environment, administrators should instead rely on their logs to spot unusual activity.