Full Report
Hungarian and Belgian diplomatic entities were allegedly targeted by a well-known Chinese hacking group in September and October. Incident responders at Arctic Wolf Labs discovered an active cyber-espionage campaign they attributed to a China-affiliated threat actor tracked as UNC6384. In August, Google spotlighted a nearly identical campaign by the same group targeting diplomats in Southeast Asia with documents mimicking…
Analysis Summary
# Threat Actor: UNC6384
## Attribution & Identity
* **Identification:** China-affiliated threat actor tracked as UNC6384.
* **Aliases/Associations:** Recognized as a "well-known Chinese hacking group."
## Activity Summary
* **Recent Campaign (Sep-Oct):** Conducted an active cyber-espionage campaign targeting diplomatic entities in Hungary and Belgium. The attacks began in September and October.
* **Prior Campaign (August):** Google spotlighted a nearly identical campaign by the same group targeting diplomats in Southeast Asia.
* **Overall Activity:** The actor is engaged in sophisticated cyber-espionage operations against governmental and diplomatic targets.
## Tactics, Techniques & Procedures
* **Initial Access:** Utilized spearphishing emails.
* **Lures:** Emails were carefully crafted to appear legitimate, centering on:
* European Commission meetings.
* NATO-related workshops.
* Multilateral diplomatic coordination events.
* **Document Lures:** In the broader context (Southeast Asia), they used documents mimicking EU Council meeting agendas.
* **TTPs (Specific to this actor):** The article primarily details the initial access vector (spearphishing with specific lures) rather than deep technical details, though it is described as a "cyber-espionage campaign."
## Targeting
* **Sectors:** Diplomatic/Governmental Sector.
* **Geography:**
* **Recent:** Hungary and Belgium (Europe).
* **Historical/Prior:** Southeast Asia.
* **Victims:** Hungarian diplomatic entities and Belgian diplomatic entities.
## Tools & Infrastructure
* **Malware Families Used:** Not specified in the provided text.
* **Infrastructure:** Not specified in the provided text.
## Implications
* UNC6384 maintains a consistent focus on diplomatic targets across different geographic regions (Europe and Southeast Asia), indicating a strategic priority for intelligence gathering relevant to international relations and policy coordination (e.g., EC, NATO).
* The use of highly contextual and timely lures (like coordination events) suggests the actor possesses high-quality open-source intelligence or specific insider knowledge regarding diplomatic schedules.
## Mitigations
* Heightened vigilance against spearphishing targeting diplomatic personnel, especially emails referencing sensitive or recent/upcoming official events (EU Commission, NATO).
* Reviewing ingress filtering and email security gateways for advanced phishing detection capabilities.
* Security training specifically focused on social engineering tailored to diplomatic terminology and events.