Aggressor initiates email assaults to uncover corporate merger and acquisition confidential information, according to Mandiant's declaration.

In a recent cybersecurity threat, a sophisticated actor known as UNC3524 has been identified as targeting U.S. businesses, as well as overseas organizations, in a global espionage campaign. The attack, which has been ongoing for at least 18 months in some cases, has affected entities across various sectors such as finance, technology, and government agencies, not just limited to the United States, but also reaching Europe and Asia.

UNC3524's primary goal is to gain information on corporate strategy and decision making, rather than a quick financial win. The threat actor specifically targeted the email accounts of executives involved in corporate development and large transactions, allowing them to gather valuable insights into the organizations' operations.

The attackers used advanced tactics that allowed them to gain multiple footholds and consistently maintain access to sensitive corporate data. UNC3524 hid in blind spots of most organizations' security controls, including forgotten network appliances, IoT devices, and other trusted systems that don't support security tools.

One of the methods used by UNC3524 was the deployment of a novel backdoor, QUIETEXIT, based on Dropbear SSH client-server software. This backdoor was found on storage area network arrays, load balancers, and wireless access point controllers, enabling the threat actor to remain undetected within victim environments.

To evade detection, UNC3524 appeared to access Microsoft Exchange email accounts from within its victim's IP space. This tactic made it difficult for security systems to identify the threat actor's activities.

To minimize threats posed by actors like UNC3524, cybersecurity experts recommend proactive threat hunting and red teaming to find weaknesses and problems before they can be used by a threat actor. Michela Menting suggests enterprises monitor network traffic for anomalous behavior, while McLellan encourages organizations to use a central monitoring system for all security alerts, especially as services move to clouds with disparate logging and security practices.

A zero-trust approach to cybersecurity and strict identity and access management controls are also recommended by Menting. Network-based logging provides the best chance for discovery of QUIETEXIT and UNC3524's activities.

The longer-term strategy of UNC3524 reinforces speculation that they are either state-sponsored or state-backed, as they don't need an immediate payout. Long-term access granted to UNC3524 allows the threat actor to learn the layout of the victim network and find configuration loopholes that could bypass two-factor authentication. This access also allows UNC3524 to collect previously used account passwords that may inform future re-compromise activity.

UNC3524's methodologies emulate techniques used by multiple Russia-based espionage threat actors, according to Mandiant. The organizations affected by UNC3524 in this specific attack, besides the US companies, included entities in Europe and Asia.

As the cyber threat landscape continues to evolve, it's crucial for organizations to stay vigilant and implement robust cybersecurity measures to protect their sensitive data from sophisticated threat actors like UNC3524.