UAT4356
| Actor Type | Nation State |
|---|---|
| Directly Linked Intrusion Sets | STORM-1849 |
UAT4356 is an intrusion set tracked by Cisco Talos. According to reporting, Cisco Talos has a focus on espionage that demonstrates the advanced capabilities and persistence of a sophisticated nation-state sponsored actor.
The group has been observed by researchers as Cisco Talos compromising perimeter network devices, specifically Cisco ASA firewalls. The group has been observed deploying advanced custom malware to firewalls (Line Dancer and Line Runner).
Cisco observed the group targeting government networks globally and dates the attacker infrastructure to November 2023, with most activity occurring during December 2023 and January 2024
Talos attribute the group to a state-sponsored actor on the basis of victimology, tradecraft and the exploitation of multiple 0-day vulnerabilities.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
UAT4356 Threat Reports
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
References
www.cyber.gc.ca
https://www.cyber.gc.ca/sites/default/files/cisco-asa-vulnerability-en_0.pdfwww.ncsc.gov.uk
https://www.ncsc.gov.uk/news/exploitation-vulnerabilities-affecting-cisco-firewall-platformsblog.talosintelligence.com
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1102 | Web Service | Command and Control |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1653 | Power Settings | Persistence |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1070 | Indicator Removal | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1071 | Application Layer Protocol | Command and Control |