UNC2717

UNC2717 is a Mandiant/FireEye-tracked threat cluster that targeted global government agencies in Europe and the U.S. between October 2020 and March 2021. The activity involved exploitation of Pulse Secure (Pulse Connect Secure) VPN vulnerabilities, including CVE-2021-22893 as well as previously disclosed 2019 and 2020 flaws, to gain access to victim environments. FireEye reported that UNC2717 repurposed the same Pulse Secure flaws used in related intrusion activity to install custom malware on government agency networks. UNC2717 was observed using Pulse Secure-focused malware including HARDPULSE, QUIETPULSE, and PULSEJUMP; in a March 2021 incident at a European organization, Mandiant observed UNC2717 using RADIALPULSE, PULSEJUMP, and HARDPULSE. The group was described as displaying advanced tradecraft and going to impressive lengths to avoid detection. Reported evasion and persistence behaviors associated with the broader UNC2630/UNC2717 activity included deleting or editing logs and artifacts, modifying timestamps, and using persistence mechanisms on Pulse Secure appliances that could survive software upgrades and factory resets. Mandiant also reported the actors harvested Active Directory credentials, bypassed multifactor authentication on Pulse Secure devices, and used stolen credentials and Windows-native tooling for reconnaissance, lateral movement, and access to resources such as Microsoft 365. Mandiant assessed that espionage activity by UNC2630 and UNC2717 supports key Chinese government priorities aligned with China’s 14th Five Year Plan. However, Mandiant also stated it lacked sufficient evidence to determine UNC2717 government sponsorship or affiliation with a known APT group. No aliases or sub-groups for UNC2717 were provided in the content.