This sneaky hacking group hid inside networks for 18 months without being detected

Group exploits IoT vulnerabilities and legitimate Windows functions to snoop on emails and servers, say researchers.
Written by Danny Palmer, Senior Writer

A previously undisclosed cyber-espionage group is using clever techniques to breach corporate networks and steal information related to mergers, acquisitions and other large financial transactions – and they've been able to remain undetected by victims for periods of more than 18 months. 

Detailed by cybersecurity researchers at Mandiant, who've named it UNC3524, the hacking operation has been active since at least December 2019 and uses a range of advanced methods to infiltrate and maintain persistence on compromised networks that set it apart from most other hacking groups. These methods include the ability to immediately re-infect environments after access is removed. It's currently unknown how initial access is achieved.  

One of the reasons UNC3524 is so successful at maintaining persistence on networks for such a long time is because it installs backdoors on applications and services that don't support security tools, such as anti-virus or endpoint protection.  

SEE: A winning strategy for cybersecurity (ZDNet special report)

The attacks also exploit vulnerabilities in Internet of Things (IoT) products, including conference-room cameras, to deploy a backdoor on devices that ropes them into a botnet that can be used for lateral movement across networks, providing access to servers.

From here, the attackers can gain a foothold in Windows networks, deploying malware that leaves almost no traces behind at all, while also exploiting built-in Windows protocols, all of which helps the group gain access to privileged credentials to the victim's Microsoft Office 365 mail environment and Microsoft Exchange Servers

This combination of unmonitored IoT devices, stealthy malware and exploiting legitimate Windows protocols that can pass for regular traffic means UNC3524 is difficult to detect – and it's also why those behind the attacks have been able to remain on victim networks for significant periods of time without being spotted.  

"By targeting trusted systems within victim environments that do not support any type of security tooling, UNC3524 was able to remain undetected in victim environments for at least 18 months," wrote researchers at Mandiant.  

And if their access to Windows was somehow removed, the attackers almost immediately got back in to continue the espionage and data-theft campaign. 

UNC3524 focuses heavily on emails of employees that work on corporate development, mergers and acquisitions, as well as large corporate transactions. While this might look like it suggests a financial motivation for attacks, the dwell time of months or even years inside networks leads researchers to believe the real motivation for the attacks is espionage

Mandiant researchers say that some of the techniques used by UNC3524 once inside networks overlaps with Russian-based cyber-espionage groups, including APT28 (Fancy Bear) and APT29 (Cozy Bear).  

However, they also note that they currently "cannot conclusively link UNC3524 to an existing group", but emphasise that UNC3524 is an advanced espionage campaign that demonstrates a rarely seen high level of sophistication. 
"Throughout their operations, the threat actor demonstrated sophisticated operational security that we see only a small number of threat actors demonstrate," they said. 

One of the reasons UNC3524 is so powerful is because it has the ability to stealthily remain undetected with the aid of exploiting lesser-monitored tools and software. Researchers suggest the best opportunity for detection remains network-based logging. 

In addition to this, because the attacks look to exploit unsecured and unmonitored IoT devices and systems, it's suggested that "organisations should take steps to inventory their devices that are on the network and do not support monitoring tools".


Editorial standards