UNC3569: A Persistent China-Nexus Threat Actor

Target Sectors and Geography

UNC3569’s campaigns have primarily focused on:

1. Sectors: Telecommunications, energy, technology, and gaming.

2. Regions: Taiwan, Indonesia, and Hong Kong.

The group’s targeting of Hong Kong democracy activists aligns strongly with CCP’s intelligence priorities, reflecting an ongoing focus on surveillance and suppression of dissidents. Intrusions into telecommunications entities likely aim to access Call Data Records (CDR), which provide critical intelligence and counterintelligence insights.

Recent Activity

In December 2024, UNC3569 operationalised new command-and-control (C2) infrastructure using the KEYPLUG malware family. This infrastructure included a newly acquired domain and five additional adversary-controlled domains. Notably, one of these domains employed a subdomain resolving to IP addresses associated with the Gcore Labs Content Delivery Network (CDN). This tactic, unprecedented among China-nexus adversaries, is almost certainly intended to obfuscate their operations by leveraging legitimate infrastructure.

Kill Chain Analysis

1. Reconnaissance

UNC3569 conducts host reconnaissance using commands such as:

1. net group

2. Weaponisation

While specific weaponisation details remain unidentified, the group likely tailors its payloads to the targeted environment.

Delivery mechanisms are not yet identified but likely include spear-phishing emails and supply chain compromises, consistent with observed tactics of similar threat actors.

4. Exploitation

Details on exploitation methods remain undisclosed.

5. Installation

UNC3569 deploys a variety of malware families, including:

1. KEYPLUG: Primary C2 framework.

2. ShadowPad: Sophisticated backdoor used by multiple China-nexus actors.

3. PlugX: Modular remote access Trojan (RAT).

4. TumbleDown and Tumbler: Used for persistence and lateral movement.

5. Sliver: Open-source adversary emulation tool.

6. Cobalt Strike: Commercial penetration testing tool repurposed for malicious activity.

7. Lighthouse (ARL): Used for asset reconnaissance.

6. Command and Control (C2)

1. UNC3569 uses ORB networks for infrastructure management.

2. Registers domains via NameCheap and leverages Cloudflare nameservers to mask activity.

7. Actions on Objectives

1. Theft of sensitive information, including proprietary data and personal information.

Technical and Strategic Insights

Tactics and Tools

UNC3569’s arsenal includes both custom and publicly available tools, reflecting a dual strategy of leveraging unique capabilities while adopting common, effective malware to blend with broader activity. Key tools include:

1. Sliver: Widely used for command execution and lateral movement.

2. PlugX and ShadowPad: Long-standing staples of China-nexus actors, enabling persistence and remote control.

3. KEYPLUG: The group’s flagship framework, central to its operations.

Infrastructure Tactics

1. Utilisation of legitimate services such as Gcore Labs CDN to obscure malicious activity is a significant evolution in UNC3569’s operational security practices.

1. Strategic domain registration through providers like NameCheap and reliance on Cloudflare nameservers further enhance their ability to evade detection.

Motivations and Objectives

UNC3569’s operations are highly consistent with China’s broader intelligence goals, including:

1. Monitoring dissidents and activists, particularly in Hong Kong.

2. Collecting industrial intelligence from key sectors such as technology and energy.

3. Gaining access to telecommunications data for counterintelligence purposes.

Implications and Recommendations

Organisations in the targeted sectors should adopt the following measures to mitigate risks associated with UNC3569:

1. Strengthen Network Monitoring:

1. Deploy advanced threat detection systems to identify suspicious C2 activity.

2. Monitor for connections to known UNC3569 infrastructure and malware signatures.

2. Enhance Endpoint Security:

1. Regularly update and patch systems to mitigate exploitation risks.

2. Use endpoint detection and response (EDR) solutions to detect malware families such as KEYPLUG and ShadowPad.

3. Improve Email Security:

1. Implement robust phishing protection mechanisms.

2. Train employees to recognise spear-phishing attempts.

4. Threat Intelligence Integration:

1. Leverage platforms like MISP to stay updated on IoCs associated with UNC3569.

2. Share intelligence with trusted communities to strengthen collective defences.

To Sum Up

UNC3569’s operations underscore the persistent threat posed by China-nexus adversaries. Their evolving tactics, reliance on advanced malware, and focus on high-value targets highlight the need for robust cyber security defences and ongoing vigilance. By understanding the group’s methodologies and objectives, organisations can better prepare to defend against their intrusion campaigns.