UAT4356
| Actor Type | Nation State |
|---|---|
| Directly Linked Intrusion Sets | STORM-1849 |
UAT4356 is an intrusion set tracked by Cisco Talos. According to reporting, Cisco Talos has a focus on espionage that demonstrates the advanced capabilities and persistence of a sophisticated nation-state sponsored actor.
The group has been observed by researchers as Cisco Talos compromising perimeter network devices, specifically Cisco ASA firewalls. The group has been observed deploying advanced custom malware to firewalls (Line Dancer and Line Runner).
Cisco observed the group targeting government networks globally and dates the attacker infrastructure to November 2023, with most activity occurring during December 2023 and January 2024
Talos attribute the group to a state-sponsored actor on the basis of victimology, tradecraft and the exploitation of multiple 0-day vulnerabilities.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
UAT4356 Threat Reports
ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices
This blog post from Cisco Talos discusses ArcaneDoor, an espionage-focused campaign targeting perimeter network devices, which are crucial for ...
References
www.ncsc.gov.uk
https://www.ncsc.gov.uk/news/exploitation-vulnerabilities-affecting-cisco-firewall-platformswww.cyber.gc.ca
https://www.cyber.gc.ca/sites/default/files/cisco-asa-vulnerability-en_0.pdfblog.talosintelligence.com
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.