UNC3886
| Actor Type | Nation State |
|---|---|
| Attributed to Nation | China |
UNC3886 is an intrusion set tracked by researchers at Google's Mandiant. Although the group has not been formally attributed or identified as a specific 'APT', Mandiant describe the actor as 'a highly adept Chinese cyber espionage group'.
UNC3886 have been observed exploiting vulnerabilities in network devices (from Fortinet and Ivanti) as well as virtualization technology (including VMWare ESXi). The group utilises custom malware and is assessed as having the resources for extensive research and development against target technologies.
The group is reported as targeting defense, technology and telecomms sectors in the US and Asia Pacific regions.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
UNC3886 Threat Reports
Cloaked and Covert: Uncovering UNC3886 Espionage Operations
This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...
Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021
This short post from Mandiant researchers details how UNC3886 were observed exploiting a zero-day vulnerability in VMWare tools for approximately ...
Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation
This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...
References
cloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypasscloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operationswww.mandiant.com
https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistencewww.mandiant.com
https://www.mandiant.com/resources/blog/chinese-vmware-exploitation-since-2021cloud.google.com
https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistencewww.mandiant.com
https://www.mandiant.com/resources/blog/fortinet-malware-ecosystemMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1014 | Rootkit | Defense Evasion |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command and Control |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1129 | Shared Modules | Execution |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1497.001 | System Checks | Defense Evasion, Discovery |
| T1518 | Software Discovery | Discovery |
| T1218.011 | Rundll32 | Defense Evasion |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1555.005 | Password Managers | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1059.006 | Python | Execution |
| T1571 | Non-Standard Port | Command and Control |
| T1070.003 | Clear Command History | Defense Evasion |
| T1087 | Account Discovery | Discovery |
| T1497 | Virtualization/Sandbox Evasion | Defense Evasion, Discovery |
| T1560 | Archive Collected Data | Collection |
| T1033 | System Owner/User Discovery | Discovery |
| T1070 | Indicator Removal | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1620 | Reflective Code Loading | Defense Evasion |
| T1059.003 | Windows Command Shell | Execution |
| T1070.004 | File Deletion | Defense Evasion |
| T1059.004 | Unix Shell | Execution |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1560.001 | Archive via Utility | Collection |
| T1021.004 | SSH | Lateral Movement |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1057 | Process Discovery | Discovery |
| T1016 | System Network Configuration Discovery | Discovery |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1074.001 | Local Data Staging | Collection |
| T1082 | System Information Discovery | Discovery |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1083 | File and Directory Discovery | Discovery |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1565.001 | Stored Data Manipulation | Impact |
| T1059 | Command and Scripting Interpreter | Execution |