Hacker stealing emails showing cyber espionage for M&A

Corporate M&A Under Attack by Cyber Espionage Gang That Enters via Unsecured IoT Devices, Quietly Monitors Emails

A new threat actor is aptly demonstrating the risks that improperly secured Internet of Things (IoT) devices can pose. The group has a specific focus on corporate mergers & acquisitions (M&A) that are in the works, embedding itself in networks for anywhere from several weeks to over a year and monitoring emails for insider information. This mass cyber espionage campaign has been going on since at least December 2019 and primarily leverages a massive botnet composed of compromised IoT security cameras to gain access.

The identity of the hackers is unknown at this time and they appear to have a financial motivation, but the sophistication of the campaign and the particular tactics used mirror those known to be employed by some of Russia’s advanced persistent threat (APT) groups.

Cyber espionage campaign searches employee emails for relevant terms

The cyber espionage campaign focuses on bulk collection of corporate emails, which are searched for terms related to ongoing M&A discussions. The attacks were discovered by cybersecurity firm Mandiant, whose researchers report that common tools used to search emails across an entire organization (such as Graph API and eDiscovery) are being used by the hackers to target specific terms that could lead them to inside M&A and corporate transaction information.

Mandiant has labeled the as-of-yet unknown threat actor as UNC3524. The group has been observed quietly harvesting emails from corporate servers for as much as 18 months at a time, far exceeding the average dwell time of 21 days logged in 2021 and further implicating cyber espionage as the purpose for their attacks. Additional evidence for the advanced status of the threat group includes selective targeting of low-security devices, demonstrated ability to evade defenses, low malware footprint and the use of a very large botnet that appears to primarily be made up of compromised IoT cameras.

The attackers deploy a unique backdoor that Mandiant has named QUIETEXIT, and it is most frequently targeted at devices on the network that aren’t covered by antivirus or endpoint protection solutions (such as wireless access point controllers). These are devices that require vendor updates for security, and that are often not updated in this way (or are simply never secured properly in the first place).

Once a foothold and privileged access to the email system is established, the attacker targets Microsoft Exchange or Microsoft 365 Exchange Online executive mailboxes and the boxes of employees that work in roles related to M&A. The attackers also target IT security accounts, presumably to keep tabs on potential detection of the cyber espionage campaign. The attacker generally runs a query in these mailboxes for more recent messages, but then extracts the entire contents from a specific point and appears to run its targeted keyword searches from there.

The group also appears to rely heavily on known vulnerabilities in specific models of IoT cameras as a means of penetration. The one that it made use of repeatedly was a conference room camera system manufactured by LifeSize Inc., and it also exploited a known vulnerability in a D-Link IP camera model. Mandiant believes that most of the cameras the group compromises are running older firmware versions set up with known default credentials.

Given the group’s pattern of targeting these fringe devices, Mandiant recommends network-based logging of traffic at the layer 7 level as the primary means of detection. Zach Hanley, Chief Attack Engineer with Horizon3.ai, adds that these attacks share qualities with business email compromise attempts: “UNC3524 and other threat actors are adapting their tactics as enterprises improve detections for past actions such as moving off Windows hosts, which are highly monitored, and ensuring network traffic to compromise email services originate from the internal network. While their tactics have adapted on the post-compromise side, the most popular initial compromise remains credential compromise – most often from weak passwords. By tightly enforcing a strong password policy which includes blacklisting commonly used base terms, organizations can work to prevent BEC from taking place.”

M&A targeting for profit?

While Mandiant is not yet ready to attribute the M&A attacks to a particular actor, it did say that the techniques used line up with certain Russian state-backed cyber espionage actors. Specifically, APT 29 (better known as Cozy Bear) is the only threat group previously known to use a particular credential addition technique that was seen in these attacks.

The focus on M&A would imply an interest in financial gain, but it remains unclear exactly what the threat group’s intentions are given the extremely long dwell times (well over a year in some cases) of some of these cyber espionage campaigns. This is far from the first group with an M&A focus; it’s become something of a trend in the criminal underworld in recent years, with criminal actors hitting venture capital and private equity firms. However, these are generally ransomware targets; the hackers believe that these firms have the deep pockets to pay their demands and will do so quickly to avoid introducing any complications to an ongoing deal.

These groups are also sometimes seeking time-sensitive financial information to manipulate stock prices and/or add extra pressure to a ransom demand, something the FBI issued an advisory about in November 2021. The notorious REvil and Darkside ransomware gangs had appeared to be making moves into this space prior to being crippled by law enforcement efforts. However, this current cyber espionage campaign has yet to make any of these quick plays for payouts; the attackers appear to be content to sit for months and harvest related information. As John Gunn, CEO of Token, notes: “This threat goes beyond simple eavesdropping on confidential information to profit on future M&A. Consider that those same compromised users will share login credentials, payment information, protected IP, and PII in emails even though it is inherently unsafe.”