UNC3524

UNC3524 is an espionage-focused threat actor tracked by Mandiant, characterized by long dwell time (reported up to ~18 months) and strong operational security through operating from victim “blind spots,” including uncommon/unsupported Linux servers and opaque network appliances not covered by typical agent-based security tooling. For lateral movement, UNC3524 used a customized version of Impacket’s WMIEXEC, specifically modifying the default output file path/filename (e.g., changing from the default \127.0.0.1\ADMIN$\debug\DEBUG.LOG) to evade filename-based detections. The actor used built-in Windows utilities such as reg save to collect registry hives for offline extraction of LSA secrets. After obtaining privileged credentials in victim mail environments, UNC3524 used Exchange Web Services (EWS) against on-premises Microsoft Exchange and/or Microsoft 365 Exchange Online to enumerate and exfiltrate email. The actor targeted a subset of mailboxes, focusing on executive teams and personnel in corporate development/mergers & acquisitions and IT security (with an assessment that IT security staff were targeted to gauge detection status). Authentication to Exchange evolved over time and included use of targeted users’ usernames/passwords, accounts with ApplicationImpersonation rights, and Service Principal credentials. Tradecraft included EWS GetFolder/FindFolder for mailbox enumeration, FindItem queries filtered by DateTimeCreated since a last-access time (noted as similar to an approach previously observed by Mandiant with APT29), and GetItem retrieval with IncludeMimeContent=true to obtain full MIME content (body and attachments). For encrypted messages (e.g., PGP, S/MIME, OME), responses contained ciphertext or (for OME) an authentication link. For command-and-control and operational infrastructure, Mandiant identified UNC3524 C2 systems primarily as compromised, internet-exposed LifeSize conference room camera devices and, in one case, a D-Link IP camera, assessed as likely compromised via default credentials (rather than an exploit) and sometimes exposed due to misconfiguration such as UPnP and/or older firmware. UNC3524 used the QUIETEXIT tunneler to reduce tool footprint and support “living off the land.” Mandiant reported technique overlap with Russia-based espionage actors (including APT29 and APT28, e.g., similarities in date-range email collection and REGEORG-related tradecraft), but stated it could not conclusively link UNC3524 to an existing tracked group at the time of reporting.