Mandiant continues to track multiple clusters of suspected Russian intrusion activity that have targeted business and government entities around the globe. Based on our assessment of these activities, we have identified two distinct clusters of activity, UNC3004 and UNC2652. We associate both groups with UNC2452 also referred to as Nobelium by Microsoft.
Some of the tactics Mandiant has recently observed include:
- Compromise of multiple technology solutions, services, and reseller companies since 2020.
- Use of credentials likely obtained from an info-stealer malware campaign by a third-party actor to gain initial access to organizations.
- Use of accounts with Application Impersonation privileges to harvest sensitive mail data since Q1 2021.
- Use of both residential IP proxy services and newly provisioned geo located infrastructure to communicate with compromised victims.
- Use of novel TTPs to bypass security restrictions within environments including, but not limited to the extraction of virtual machines to determine internal routing configurations.
- Use of a new bespoke downloader we call CEELOADER.
- Abuse of multi-factor authentication leveraging “push” notifications on smartphones
In most instances, post compromise activity included theft of data relevant to Russian interests. In some instances, the data theft appears to be obtained primarily to create new routes to access other victim environments. The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts.
The sections below highlight intrusion activity from multiple incident response efforts that are currently tracked as multiple uncategorized clusters. Mandiant suspects the multiple clusters to be attributable to a common Russian threat. The information below covers some of the Tactics, Techniques, and Procedures (TTPs) used by the threat actors for initial compromise, establishing a foothold, data collection, and lateral movement; how the threat actors provision infrastructure; and indicators of compromise. The information is being shared to raise awareness and allow organizations to better defend themselves.