"Bulk Email Theft May Point to Russian Espionage"

Researchers recently discovered a threat group with a possible Russian connection that targets corporate email environments. The researchers initially believed the UNC3524 gang was primarily interested in money, as are many ransomware attacks. An analysis of the group's actions, on the other hand, suggests espionage. The researchers suspect that UNC3524 is linked to Russia, but it is unclear whether the government directly funds the group. The activities of UNC3524 support Russian geopolitical interests in corporate development, mergers and acquisitions, and large corporate transactions. UNC3524 distinguishes itself from other attackers by its ability to go undetected for extended periods of time. Mandiant's investigation into UNC3524 reveals that the threat group targets trusted systems within victim environments that do not support security tools such as antivirus or endpoint protection. As a result, UNC3524 can remain undetected in victim environments for up to 18 months. These attacks demonstrate advanced operational security, a small malware footprint, adept evasion skills, and a large Internet of Things (IoT) botnet. Furthermore, if victims manage to detect and remove UNC3524 access, the group can still re-infect the environment. The group specializes in stealing bulk email data from victims in order to support espionage campaigns, as emails and email attachments are a rich source of information about any company. The attackers target, access, and search email content throughout the organization. They deploy a novel backdoor based on the open-source Dropbear SSH client-server software after gaining initial access through unknown means. Backdoors like these can be installed on SAN arrays, load balancers, and wireless AP controllers. This article continues to discuss findings and observations regarding the UNC3524 gang.

Security Intelligence reports "Bulk Email Theft May Point to Russian Espionage"