UNC5174

Actor Type	Commercial Provider
Attributed to Nation	China
Associated Threat Actor	Chinese Ministry of State Security

UNC5174 is an uncategorised intrusion set tracked by Mandiant. Although UNC5174 has not been formally designated, Mandiant state with moderate confidence that UNC5174, also known by the persona "Uteus," is a former member of Chinese hacktivist collectives who acts as a contractor for China's Ministry of State Security (MSS), focusing on access operations.

UNC5174 has been involved in exploiting vulnerabilities in F5 BIG-IP appliances and Connectwise ScreenConnect, targeting U.S. defense contractors, UK government entities, and institutions across Asia. Their activities include acting as an 'initial access broker' - selling access to compromised systems. Targeting has included research, education, businesses, and government organizations in Southeast Asia, the U.S., and the UK.

Cyber Threat Graph Context

Explore how this Intrusion Set relates to the wider threat graph

UNC5174 Threat Reports

Report

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...

View Source

References

www.mandiant.com

https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect

MITRE ATT&CK Techniques

MITRE ATT&CK techniques observed in use by this intrusion set.

Search:

ATT&CK ID	Title	Associated Tactics
T1083	File and Directory Discovery	Discovery
T1190	Exploit Public-Facing Application	Initial Access
T1070.004	File Deletion	Defense Evasion
T1572	Protocol Tunneling	Command and Control
T1059.004	Unix Shell	Execution
T1140	Deobfuscate/Decode Files or Information	Defense Evasion
T1222.002	Linux and Mac File and Directory Permissions Modification	Defense Evasion
T1049	System Network Connections Discovery	Discovery
T1601.001	Patch System Image	Defense Evasion
T1003.008	/etc/passwd and /etc/shadow	Credential Access
T1573.002	Asymmetric Cryptography	Command and Control
T1059	Command and Scripting Interpreter	Execution
T1105	Ingress Tool Transfer	Command and Control
T1027	Obfuscated Files or Information	Defense Evasion
T1016	System Network Configuration Discovery	Discovery
T1082	System Information Discovery	Discovery
T1531	Account Access Removal	Impact
T1095	Non-Application Layer Protocol	Command and Control
T1608.003	Install Digital Certificate	Resource Development
T1136.001	Local Account	Persistence

Showing 1 to 20 of 20 entries