Friday 4 October 11:30 - 12:00, Green room
Steve Su, Aragorn Tseng, Chi-Yu You (YCY) & Cristiana Brafman Kittner (Google)
This presentation will offer insights and developmental history of the evolution of UNC3569, arguably one of the unconventional but most prolific and sophisticated PRC-nexus threat actors in the MSS ecosystem. Additional insight into similar threat actors that operate in the MSS ecosystem as front, or shell, companies serves to further expose the tools and techniques used, as well as potential connections to additional ongoing threat clusters that similarly operate as front companies, and effectively obfuscate networks that the threat actor operators likely use in various campaigns.
The expanded yet centralized PRC cyber ecosystem is increasingly complex. In recent years, one of the most active threat actors in this ecosystem has been UNC3569. UNC3569 stands out as a significant element in China's cyber espionage operations. Current data evidences that UNC3569 has interest in a wide range of industries, and has targeted at least government agencies, education institutions, high-tech companies and the financial industry since 2021. Nevertheless, the actor also has an interest in the gaming industry, as evidenced by the language used on the fake warning pages hosted on its squatting websites.
UNC3569 has a strong ability to take advantage of significant vulnerabilities to blend into its target servers. Historically, UNC3569 has leveraged a variety of vulnerability scanners to abuse exploits, including CVE-2021-34523, CVE-2021-34473, CVE-2021-31207, and CVE-2022-21587. To expand its operation, UNC3569 also has a mighty arsenal with a variety of customized malware, together with powerful legitimate tools, public hacking tools and a commercial hacking tool purchased from the dark market.
The GRAYRABBIT backdoor is one of the most favoured tools of this actor. It is a lightweight and simple backdoor that supports simple file operation, system information collection, running modularized plugins and executing a remote command shell. UNC3569 also quickly developed customized components, such as RABBITCAVE, RABBITMOUND, RABBITWING and RABBITFUR, to deploy GRAYRABBIT in different environments. We also found a customized DLL loader, AtomLdr, abused as a GRAYRABBIT loader on a DRAFTGRAPH C2 Cloud server. At the start of 2024, UNC3569 set up a new fake FBI-looking domain with its new weapon KEYPLUG.LINUX backdoor – which has been observed frequently being used by APT41 in the past.
UNC3569 maintains its operational efficiency primarily by optimizing its work efficiency. The actor has managed similar server configurations and abused serial IP addresses with squatting domains to build an expandable and convenient infrastructure to for its operations.
Steve Su Steve Su is a senior security engineer & researcher at Google Cloud’s Mandiant Intelligence. He has eight years of proficiency focusing on malware hunting, reverse engineering, and tracking state-sponsored campaigns over the Asia Pacific region.
|
|
Aragorn Tseng Aragorn Tseng serves as a researcher and analyst for Google Cloud’s Mandiant Intelligence, specializing in tracking state-sponsored actors across the Asia Pacific region. His expertise spans various domains, including malware analysis, incident response, APT campaign tracking, and the application of deep learning to cybersecurity challenges. Aragorn has presented his research at conferences such as Black Hat Asia, CodeBlue, HITCON, Virus Bulletin, and JSAC. Prior to joining Google Cloud, Aragorn worked as a consultant, contributing to incident response and APT campaign tracking initiatives within Taiwan's law enforcement agencies.
|
|
Chi-Yu You Chi-Yu You (YCY) is a team lead on the Cyber Espionage Team at Google Cloud’s Mandiant Intelligence. She leads a team that provides insights into nation-state threats in the Asia Pacific region. YCY has eight years of experience in threat intelligence. Her expertise spans across threat hunting, reverse engineering, automated malware analysis, and campaign tracking. She has spoken at conferences including CodeBlue, HITCON, and JSAC.
|
|
Cristiana Brafman Kittner Cristiana Brafman Kittner has over two decades of experience in the defence and cybersecurity domain, she leverages her expertise as Chief Analyst Google Cloud’s Product Security Engineering to provide cutting-edge cyber threat intelligence and risk management solutions to clients across various industries. A subject matter expert in cyber attack trends, threat actors, and mitigation strategies, Cris is also a trusted advisor to senior executives and stakeholders on cyber risk management and resiliency. |
Back to VB2024 conference page