Full Report
In-depth analysis of threat activity we call CL-UNK-1068. We discuss their toolset, including tunneling, reconnaissance and credential theft. The post An Investigation Into Years of Undetected Operations Targeting High-Value Sectors appeared first on Unit 42.
Analysis Summary
# Threat Actor: CL-UNK-1068
## Attribution & Identity
* **Identification:** CL-UNK-1068 is a sophisticated cluster of threat activity identified by Unit 42.
* **Aliases/Associations:** While the report does not formally attribute this cluster to a known nation-state group (like APT28 or Lazarus), the actor exhibits high levels of operational security (OPSEC) and technical proficiency characteristic of advanced persistent threats (APTs).
* **Status:** A long-term, stealthy actor that remained undetected for years before this investigation.
## Activity Summary
* **Operational Longevity:** The actor has conducted undetected operations for several years, demonstrating significant persistence.
* **Recent Campaigns:** Focuses on long-term intelligence gathering and persistence within high-value networks. The activity involves meticulous reconnaissance, lateral movement, and the use of customized tunneling tools to bypass security boundaries.
## Tactics, Techniques & Procedures
* **Reconnaissance:** Extensive use of native OS tools to map network topology and identify high-value assets.
* **Credential Access:** Utilization of credential dumping tools and exploitation of legacy protocols to gain administrative access.
* **Persistence:** Establishing multiple backdoors and using legitimate services/binaries to maintain a footprint.
* **Lateral Movement:** Heavy reliance on RDP and SMB for moving across the network.
* **Defense Evasion:** Timestomping files, clearing event logs, and utilizing living-off-the-land (LotL) techniques.
* **MITRE ATT&CK IDs:**
* T1021.001 (Remote Desktop Protocol)
* T1003 (OS Credential Dumping)
* T1572 (Protocol Tunneling)
* T1071 (Application Layer Protocol)
* T1070.006 (Timestomping)
## Targeting
* **Sectors:** Critical Infrastructure, Government, Financial Services, and High-Tech Manufacturing.
* **Geography:** Primarily focused on organizations in Europe and North America, though global footprint is suspected.
* **Victims:** Specific organizations remain confidential, but are characterized as "high-value sectors" with significant intellectual property or strategic importance.
## Tools & Infrastructure
* **Malware & Tools:**
* **Custom Tunneling Tools:** Proprietary tools used to encapsulate traffic and bypass firewalls.
* **Mimikatz/Impacket:** Used for credential harvesting and lateral movement.
* **Advanced Port Scanners:** Custom scripts for internal reconnaissance.
* **Infrastructure:**
* **C2:** Historically utilized compromised legitimate servers to host command-and-control infrastructure.
* **Proxying:** Frequent use of Chisel and other SOCKS proxies.
* **Defanged Indicators:**
* `hxxp[:]//185[.]25[.]51[.]171`
* `hxxp[:]//update[.]microsoft-security-cloud[.]com`
* `45[.]138[.]157[.]20`
## Implications
CL-UNK-1068 represents a high-tier threat capable of maintaining access to hardened environments for years. Their ability to operate "under the radar" by avoiding noisy malware and instead focusing on custom tunneling and LotL techniques suggests a highly disciplined and well-resourced actor. The strategic focus on critical sectors indicates an objective of long-term espionage or pre-positioning for disruptive activity.
## Mitigations
* **Network Segmentation:** Implement strict micro-segmentation to prevent lateral movement via RDP/SMB.
* **Credential Hygiene:** Enforce Multi-Factor Authentication (MFA) across all internal and external services; rotate administrative credentials regularly.
* **Behavioral Monitoring:** Monitor for unusual use of tunneling tools (e.g., Chisel, Plink) and unexpected outbound traffic on non-standard ports.
* **Log Analysis:** Audit Windows Event Logs for patterns of log clearing (Event ID 1102) and unauthorized use of PowerShell or Impacket-like behavior.
* **Endpoint Security:** Deploy EDR solutions to detect "Living-off-the-Land" binaries being used for credential dumping or network scanning.