💡

UNC5174

Aliases

Uteus

Tags

State-SponsoredHacktivist

Attribution

🇨🇳

Incidents

UNC5174 ScreenConnect and F5 BIG-IP exploitation UNC5174 Linux Espionage Campaign

References

https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect

Last edited

Apr 30, 2024 6:42 AM

Status

Finalized

Cloud-fluent

Unique Tools

GOHEAVY SNOWLIGHT

UNC5174 is a access operations group, characterized by its usage of the aliases "Uteus" (and its alternate spelling "uetus") in underground forums. This group is moderately assessed to be operating out of China and has historical ties to several hacktivist collectives, notably "Dawn Calvary" and "Genesis Day," prior to 2023. UNC5174 has also positioned itself as being affiliated with the People's Republic of China's Ministry of State Security (PRC MSS), acting both as an access broker and potentially as a contractor engaged in for-profit cyber intrusions.

Key points about UNC5174 include:

Historical Affiliations: Before 2023, UNC5174 was part of Chinese hacktivist groups, collaborating closely with "Dawn Calvary," "Genesis Day"/"Xiaoqiying," and "Teng Snake." The group appears to have left these collectives around mid-2023 to concentrate on access operations aimed at selling compromised system access.
MSS Contractor Speculation: Mandiant's investigation suggests UNC5174 may serve as an initial access broker functioning under the auspices of the MSS. This is supported by the actor's claims of MSS affiliation in dark web discussions, which hint at a connection with MSS-related Advanced Persistent Threat (APT) activities.
Targeted Operations: The operations conducted by UNC5174 have significant overlaps with those attributed to known MSS access brokers, such as UNC302, who have been previously indicted by the U.S. Department of Justice. Targets include high-profile entities in the U.S. defense sector and UK government organizations.
Cyber Exploitation Activities: On October 10, 2023, Mandiant discovered evidence linking UNC5174 to the exploitation of vulnerabilities, including an incident involving an F5 device IP address at government organizations. This was associated with the "Uteus" persona, which also claimed to exploit a Confluence vulnerability (CVE-2023-22515) to gain access to systems of a U.S. military contractor and a UK government organization.
Operational Tactics: UNC5174, through the "Uteus" persona, has indicated the use of public proof of concept for exploiting system vulnerabilities, showcasing a strategic approach to leveraging known security flaws for unauthorized access to targeted systems.

Despite these activities, there is a noted distinction between UNC5174 ("Uteus") and "Xiaoqiying," with the latter independently asserting no employment by the Chinese government.