UNC4899 | |
Other Names | Jade Sleet |
Location | North Korea |
Date of initial activity | 2023 |
Suspected Attribution | State-Sponsored Threat Group |
Government Affiliation | Yes |
Motivation | Cyberwarfare |
Associated Tools | Cobalt Strike Mimikatz PowerShell Empire Cerberus AnyDesk/TeamViewer Custom Malware |
Overview
The UNC4899 threat actor, a sophisticated and elusive adversary, has recently garnered attention for its advanced cyber operations and strategic targeting methods. Known for its association with a range of high-profile cyberattacks, UNC4899 has demonstrated a profound capability in exploiting vulnerabilities within complex digital infrastructures. This threat actor is often linked to high-value targets and has been observed employing a variety of tactics, techniques, and procedures (TTPs) that reflect a deep understanding of both technology and operational security.
UNC4899’s activities reveal a strategic focus on leveraging supply chain attacks and advanced persistent threats (APTs) to achieve its objectives. The group’s operations are marked by meticulous planning and execution, often involving multi-stage attacks that aim to infiltrate and compromise critical systems over extended periods. This approach not only maximizes their impact but also complicates detection and response efforts by security teams.
Common targets
United States
Information
Attack vectors
Supply Chain
How they operate
The group’s technical operation is marked by its use of advanced tools and techniques designed to infiltrate, control, and exploit target networks while evading detection. At the core of their methodology is the deployment of sophisticated initial access mechanisms. UNC4899 frequently employs phishing campaigns to deliver malicious payloads. These phishing attempts are crafted with precision, often using socially engineered emails that exploit the recipient’s trust to facilitate the delivery of malware. This initial access is crucial as it serves as the gateway for further exploitation.
Once inside the target network, UNC4899 employs a range of execution techniques to establish a foothold and expand their control. A prominent tool in their arsenal is PowerShell, which they use for executing malicious scripts and commands directly on compromised systems. This enables them to perform a variety of actions without leaving a traditional footprint. Additionally, they utilize Cobalt Strike, a legitimate penetration testing tool that has been repurposed for malicious activities. Cobalt Strike allows them to establish command and control (C2) channels, move laterally within the network, and execute further exploits.
Persistence is another key aspect of UNC4899’s operations. The group often creates or modifies system processes to ensure they remain active within the target environment. This might involve creating new services or altering existing ones to maintain their presence even after a system reboot. Their persistence tactics are complemented by advanced credential dumping techniques. Using tools like Mimikatz, they extract and collect credentials from compromised systems, which facilitates privilege escalation and lateral movement.
To evade detection, UNC4899 employs several defense evasion strategies. They utilize obfuscation techniques to mask their activities and make their malware less detectable by traditional security solutions. This includes encoding their payloads and using encrypted communication channels to conceal their actions. They also implement strategies to bypass security measures such as User Account Control (UAC), which helps them gain elevated privileges without triggering alerts.
In terms of data exfiltration, UNC4899 is adept at staging and extracting data in a stealthy manner. They often stage collected data within the compromised network before exfiltrating it through their C2 channels. This approach minimizes the risk of detection during the exfiltration process. Overall, UNC4899’s operations are characterized by their technical sophistication and adaptability, enabling them to execute complex attacks while remaining undetected for extended periods.
MITRE Tactics and Techniques
Initial Access:
Phishing (T1566): UNC4899 has been known to use phishing emails to deliver malicious payloads and gain initial access to target networks.
Execution:
Command and Scripting Interpreter (T1059): The group frequently uses PowerShell and other scripting languages for executing commands on compromised systems.
Exploitation of Vulnerability (T1203): They may exploit vulnerabilities in software to execute their payloads.
Persistence:
Create or Modify System Process (T1543): They may create or modify system processes to maintain persistence on the victim’s network.
Privilege Escalation:
Credential Dumping (T1003): UNC4899 utilizes tools like Mimikatz to dump credentials and escalate privileges within compromised environments.
Defense Evasion:
Obfuscated Files or Information (T1027): The group uses various obfuscation techniques to hide their activities and evade detection.
Bypass User Account Control (T1088): They may bypass User Account Control (UAC) to gain elevated privileges without alerting users.
Credential Access:
Credential Dumping (T1003): UNC4899 regularly engages in credential dumping to obtain authentication information for lateral movement.
Discovery:
Network Service Scanning (T1046): They scan for network services to gather information about the target environment.
Lateral Movement:
Remote Desktop Protocol (T1076): UNC4899 may use Remote Desktop Protocol (RDP) to move laterally across the network.
Windows Admin Shares (T1077): They exploit Windows administrative shares for lateral movement and data collection.
Collection:
Data Staged (T1074): The group stages data before exfiltration, preparing it for extraction from the compromised network.
Exfiltration:
Exfiltration Over Command and Control Channel (T1041): UNC4899 often exfiltrates data through their established command and control channels to avoid detection.
Impact:
Data Encrypted for Impact (T1486): In some cases, they may encrypt data to cause disruption, although this is less common compared to other activities.