UNC1151

UNC1151 is a threat group targeting organizations primarily in Eastern Europe. UNC1151 is an internal name used by Mandiant threat researchers to attribute “uncategorized cyber intrusion activity.” The UNC1151 threat group seems to be focused on the compromise of government and private sector communications within Lithuania, Latvia, Poland, Ukraine, and Germany. They have also targeted and compromised selected targets in Belarus. This information which is compromised and then collected, can be used for additional malicious purposes.

It should be noted that consistent with most nation-state-biased activity, most of the UNC1151 activity focused on obtaining confidential information and not the theft of funds (North Korea being an exception) through any means. This strategy further reinforces the notion that UNC1151 are nation-state aligned in loyalty, purpose, and funding.

Some of the best threat researchers in the world believe that UNC1151 is aligned and connected to the Belarusian government. However, there may also be Russian involvement in UNC1151, although this has not yet been confirmed. The information operations and deception campaigns undertaken and supported, at least in part, by UNC1151 include a campaign called Ghostwriter. Ghostwriter may be a proxy for UNC1151-but they may also be highly cooperative but different organizations.

The name Ghostwriter was attributed to UNC1151’s earliest attacks. In these cyberattacks, UNC1151 would explicitly target and then steal the credentials of journalists and publishers and then publish bogus articles using those stolen credentials. So UNC1151 acted as malicious and unwanted ghostwriters for the parties whose credentials were stolen.

Over time, UNC1151 has been involved with many spear-phishing campaigns that utilize malware to obtain authentication credentials. Spear-phishing campaigns use malicious fake websites which appear as legitimate pages. However, once the user is engaged, they can be duped into entering otherwise confidential authentication credentials.

Security researchers have also observed UNC1151 as sending dangerous attachments with phishing emails. The attachments have included a variety of malware. In addition, UNC1151 often uses long and obfuscated subdomains to make phishing domains look legitimate under quick inspection. UNC1151 has targeted thousands of accounts using these techniques with custom spear-phishing content.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.