UNC3886

Actor Type	Nation State
Attributed to Nation	China

UNC3886 is an intrusion set tracked by researchers at Google's Mandiant. Although the group has not been formally attributed or identified as a specific 'APT', Mandiant describe the actor as 'a highly adept Chinese cyber espionage group'.

UNC3886 have been observed exploiting vulnerabilities in network devices (from Fortinet and Ivanti) as well as virtualization technology (including VMWare ESXi). The group utilises custom malware and is assessed as having the resources for extensive research and development against target technologies.

The group is reported as targeting defense, technology and telecomms sectors in the US and Asia Pacific regions.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

UNC3886 Threat Reports

Report

Cloaked and Covert: Uncovering UNC3886 Espionage Operations

This article by researchers from Google's Mandiant outlines intrusion activity by UNC3886, a suspected China-nexus cyber espionage group. The ...

View Source

Report

Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021

This short post from Mandiant researchers details how UNC3886 were observed exploiting a zero-day vulnerability in VMWare tools for approximately ...

View Source

Report

Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation

This blog post by threat researchers at Mandiant outlines intrusions activity by the UNC3886 intrusion set which involved the deployment of ...

View Source

References

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1014	Rootkit	Defense Evasion
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1003	OS Credential Dumping	Credential Access
T1071	Application Layer Protocol	Command and Control
T1573.001	Symmetric Cryptography	Command and Control
T1129	Shared Modules	Execution
T1027	Obfuscated Files or Information	Defense Evasion
T1497.001	System Checks	Defense Evasion, Discovery
T1518	Software Discovery	Discovery
T1218.011	Rundll32	Defense Evasion
T1105	Ingress Tool Transfer	Command and Control
T1555.005	Password Managers	Credential Access
T1552	Unsecured Credentials	Credential Access
T1059.006	Python	Execution
T1571	Non-Standard Port	Command and Control
T1070.003	Clear Command History	Defense Evasion
T1087	Account Discovery	Discovery
T1497	Virtualization/Sandbox Evasion	Defense Evasion, Discovery
T1560	Archive Collected Data	Collection
T1033	System Owner/User Discovery	Discovery
T1070	Indicator Removal	Defense Evasion
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1620	Reflective Code Loading	Defense Evasion
T1059.003	Windows Command Shell	Execution
T1070.004	File Deletion	Defense Evasion
T1059.004	Unix Shell	Execution
T1202	Indirect Command Execution	Defense Evasion
T1560.001	Archive via Utility	Collection
T1021.004	SSH	Lateral Movement
T1095	Non-Application Layer Protocol	Command and Control
T1057	Process Discovery	Discovery
T1016	System Network Configuration Discovery	Discovery
T1222	File and Directory Permissions Modification	Defense Evasion
T1074.001	Local Data Staging	Collection
T1082	System Information Discovery	Discovery
T1102.001	Dead Drop Resolver	Command and Control
T1083	File and Directory Discovery	Discovery
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1059.001	PowerShell	Execution
T1565.001	Stored Data Manipulation	Impact
T1059	Command and Scripting Interpreter	Execution

Showing 1 to 41 of 41 entries

UNC3886

Cyber Threat Graph Context

UNC3886 Threat Reports

Cloaked and Covert: Uncovering UNC3886 Espionage Operations

Chinese Espionage Group UNC3886 Found Exploiting CVE-2023-34048 Since Late 2021

Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation

References

cloud.google.com

cloud.google.com

www.mandiant.com

www.mandiant.com

cloud.google.com

www.mandiant.com

MITRE ATT&CK Techniques