UNC5174
| Actor Type | Commercial Provider |
|---|---|
| Attributed to Nation | China |
| Associated Threat Actor | Chinese Ministry of State Security |
UNC5174 is an uncategorised intrusion set tracked by Mandiant. Although UNC5174 has not been formally designated, Mandiant state with moderate confidence that UNC5174, also known by the persona "Uteus," is a former member of Chinese hacktivist collectives who acts as a contractor for China's Ministry of State Security (MSS), focusing on access operations.
UNC5174 has been involved in exploiting vulnerabilities in F5 BIG-IP appliances and Connectwise ScreenConnect, targeting U.S. defense contractors, UK government entities, and institutions across Asia. Their activities include acting as an 'initial access broker' - selling access to compromised systems. Targeting has included research, education, businesses, and government organizations in Southeast Asia, the U.S., and the UK.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
UNC5174 Threat Reports
Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect
This blog post by researchers at Mandiant describes how the threat actor UNC5174 exploited vulnerabilities in F5 BIG-IP appliances and Connectwise ...
MITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1083 | File and Directory Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1070.004 | File Deletion | Defense Evasion |
| T1572 | Protocol Tunneling | Command and Control |
| T1059.004 | Unix Shell | Execution |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1601.001 | Patch System Image | Defense Evasion |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1059 | Command and Scripting Interpreter | Execution |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1016 | System Network Configuration Discovery | Discovery |
| T1082 | System Information Discovery | Discovery |
| T1531 | Account Access Removal | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1608.003 | Install Digital Certificate | Resource Development |
| T1136.001 | Local Account | Persistence |