
Operation DeepRoot: UNC1549’s Covert Espionage Against Aerospace and Defense Networks
Indicators of Compromise
APT Groups1
Summary of Actor:UNC1549 is a financially-motivated threat actor known for its ransomware operations. They have been active in targeting high-value organizations, leveraging sophisticated techniques to compromise systems. General Features:UNC1549 specializes in ransomware attacks, often employing advanced persistence mechanisms and data exfiltration techniques before deploying ransomware. They are known for their ability to move laterally within networks and evade detection. Related Other Groups: FIN12,Wizard Spider Indicators of Attack (IoA): Suspicious use of administrative tools Unusual network traffic patterns Data exfiltration to external servers Ransomware notes left on compromised systems Recent Activities and Trends: Latest Campaigns : UNC1549 was recently linked to a high-profile ransomware attack on a major healthcare provider, resulting in significant data breaches and operational disruptions. Emerging Trends : There is a noticeable shift towards targeting critical infrastructure and adopting double extortion tactics, where data is not only encrypted but also exfiltrated and threatened to be published unless ransom is paid.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
ID | Name | Analytic ID | Analytic Description |
Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users | Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents. | ||
Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk. Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes. Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes. | |||
Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[49][50] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[3] Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets. | |||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Multiple failed login attempts across different users using common password patterns (e.g., 'Welcome2023') | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts) | ||
Distributed Password Spraying via Authentication Failures Across Multiple Accounts | SaaS applications receiving authentication failures for dozens of accounts using same password or login signature |