Mandiant is now part of Google Cloud. Learn More.
Explore our multi-vendor XDR platform, delivering Mandiant products and integrating with a range of leading security operations technology.
Explore the platform
Solve your toughest cyber security challenges with combinations of products and services.
Mitigate threats, reduce risk, and get back to business with the help of leading experts.
Learn more
View all services (47)
Mandiant specializes in cyber threat intelligence, offering products, services, and more to support our mission to defend against cyber crime.
Get the latest insights from cyber security experts at the frontlines of threat intelligence and incident response
M-Trends 2023 report
mWISE
Learn more about us and our mission to help organizations defend against cyber crime.
Learn more
Start for Free
UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. This activity overlaps with activity that has been reported in open sources as “0ktapus,” “Scatter Swine,” and “Scattered Spider.” Since 2022 and through early 2023, UNC3944 appeared to focus on accessing credentials or systems used to enable SIM swapping attacks, likely in support of secondary criminal operations occurring outside of victim environments. However, in mid-2023, UNC3944 began to shift to deploying ransomware in victim environments, signaling an expansion in the group’s monetization strategies. These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand; Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.Â
UNC3944 has demonstrated a stronger focus on stealing large amounts of sensitive data for extortion purposes and they appear to understand Western business practices, possibly due to the geographical composition of the group. UNC3944 has also consistently relied on publicly available tools and legitimate software in combination with malware available for purchase on underground forums. The following examples represent some of the more notable tactics, techniques, and procedures (TTPs) that have been observed during UNC3944 operations.Â
The following sections organize UNC3944’s TTPs by the stages of the Mandiant attack lifecycle model and focus on activity observed during UNC3944 intrusions in 2023.
A hallmark of UNC3944 incidents is the use of smishing messages sent to employees of targeted organizations for stealing valid credentials. In the majority of cases where we identified the initial access vector, UNC3944 obtained access to the victim environment after a successful smishing attack. After obtaining credentials, the threat actors have also impersonated employees on calls to victim organizations’ service desks in an attempt to obtain multi factor authentication (MFA) codes and/or password resets. During these calls, the threat actor provided verification information requested by the help desk employees, including usernames, employee IDs, and other types of personally identifiable information (PII) associated with employees. Notably, the threat actors often asked the service desk support to repeat the question and paused for significant lengths before answering, likely due to the threat actor looking through notes or attempting to search for the answer to the question posed. In one incident, UNC3944 social engineered the IT help desk to get the MFA token reset for account credentials that may have been exposed on a laptop used by an IT outsourcing company contracted by the victim organization. Mandiant determined that RECORDSTEALER credential theft malware was installed on this laptop through a fake software download only a few weeks prior. UNC3944 typically uses stolen credentials to then establish a foothold on victim environments.
UNC3944 phishing pages are designed to appear as if they belong to the targeted organization and frequently use single sign on (SSO) or service desk lures. The registered domains typically include both the victim organization name in combination with “-sso” or “-servicenow” in the domain. Based on analysis of suspected UNC3944 phishing domains, it is plausible that the threat actors have, in some cases, used access to victim environments to obtain information about internal systems and leveraged that information to facilitate more tailored phishing campaigns. For example, in some cases the threat actors appeared to create new phishing domains that included the names of internal systems.
Mandiant has identified at least three phishing kits that have been used to facilitate UNC3944 campaigns.
UNC3944 doesn’t rely exclusively on smishing and social engineering to obtain the privileged access required to meet their objectives. Mandiant has observed UNC3944 use publicly available credential theft tools and expend significant effort searching through internal systems to identify ways to obtain privileged credentials. In one incident UNC3944 was able to export the data from the victim’s HashiCorp Vault by using a copy of the Vault client, which the threat actors downloaded from the official HashiCorp site. They successfully exported the credentials from the HashiCorp Vault and authenticated to a file server with a domain admin account. In another incident UNC3944 installed a PowerShell module for the CyberArk API, enabling them to dump credentials from the vault server. UNC3944 has attempted to identify credentials stored in internal GitHub repositories using publicly available tools such as Trufflehog and GitGuardian. On one occasion, UNC3944 executed the open-source tool MicroBurst against a victim Azure tenant using privileged credentials. The primary function of MicroBurst is to identify Azure credentials and secrets.
We have observed evidence suggesting that UNC3944 may use various infostealers to support their operations. For example, the threat actors used a PowerShell script to download the ULTRAKNOT credential stealer (aka Meduza stealer) staged on the victim’s AWS bucket. We have also observed the threat actors download or stage data miners such as VIDAR and ATOMIC.
A common hallmark of UNC3944 intrusions has been their creative, persistent, and increasingly effective targeting of victims’ cloud resources. This strategy allows the threat actors to establish a foothold for their later operations, perform network and directory reconnaissance, and to access many sensitive systems and data stores while having minimal interaction with what some organizations would traditionally consider their internal corporate network.Â
UNC3944 is particularly adept at using privileged access to cloud environments to establish persistent access to victim environments. The persistence techniques can be difficult to monitor for and detect, especially in large multi-cloud environments. UNC3944 has added rogue federated identity providers to victims’ Microsoft Entra environment (formerly Azure Active Directory), which allowed them to execute golden SAML attacks. The threat actor could then authenticate to resources protected by Entra ID as any user in the organization without knowledge of their password or possession of their MFA device. In multiple incidents the threat actors have created Azure Virtual Machines and assigned them public IP addresses. These threat actor-created Virtual Machines do not have the organization’s mandated security and logging software installed on them, providing the threat actors with unmonitored access to a trusted system inside of the organization’s network which they then use to progress their intrusion.
The threat actors have also used their access to victim organization cloud resources to host malicious utilities and run them across systems in the network. In one incident, the threat actors hosted malicious utilities on an Amazon Web Service (AWS) S3 bucket owned by the organization and used an Intune PowerShell orchestration to download the utilities from inside the victim environment. The scripts were configured to disable firewall rules and several Windows Defender protections, such as Microsoft Defender ATP, prior to retrieving and executing an ALPHV ransomware payload.
UNC3944 has also found use of some of the more niche features and applications within Azure to move laterally and conduct data theft. On multiple occasions UNC3944 has moved laterally within an organization’s Azure environment using the Special Administration Console to connect to virtual machines via serial console. Mandiant has observed the threat actors use Azure Data Factory to modify existing pipelines to steal data that is stored in various integrated platforms such as data warehouses, storage blobs, and SQL databases. Specifically, they have created pipeline jobs that run “activities” to export data from those data sources to an attacker-controlled SFTP server. The use of data factories provided the threat actors with a stable and high-bandwidth platform to copy large volumes of data.
UNC3944 is an evolving threat that has continued to broaden its skills and tactics in order to successfully diversify its monetization strategies. We expect that these threat actors will continue to improve their tradecraft over time and may leverage underground communities for support to increase the efficacy of their operations. The threat actors have successfully relied on social engineering schemes to obtain initial accesses, whether in the form of SMS phishing campaigns or by calling victim organizations’ help desks to reset passwords and MFA. UNC3944’s initial successes likely emboldened it to expand its TTPs to more disruptive and profitable attacks, including ransomware and extortion. It is plausible that these threat actors may use other ransomware brands and/or and incorporate additional monetization strategies to maximize their profits in the future. We anticipate that intrusions related to UNC3944 will continue to involve diverse tools, techniques, and monetization tactics as the actors identify new partners and switch between different communities.
For organizations that are utilizing Entra ID (formerly Microsoft Azure Active Directory), the following recommendations have proven effective in mitigating against common UNC3944 TTPs such as MFA abuse and unauthorized use of privileged accounts within the Microsoft cloud environment:
Because UNC3944 has proven to be very prolific in using social engineering techniques with victim’s help desk organizations, further securing the process of accomplishing password and/or MFA resets is imperative. An extremely effective technique that help desks should utilize prior to accomplishing password and/or MFA resets is to require video verification of the user via a video call. The help desk should verify the face of the user by comparing it to an internal system such as an HR or security badge system where a photo of the user is stored. Additionally, help desk personnel should ensure the user shows a form of identification on the video call, such as an identification badge, driver’s license, etc. This process can be further customized to meet specific needs of the organization.
Mandiant plans to release additional resources that dive further into detection mechanisms, containment and eradication techniques, and additional hardening opportunities to further mitigate UNC3944 TTPs.
UNC3944 frequently hosts their phishing kit on domains with the following patterns.
UNC3944 frequently uses built-in tools/commands and downloads publicly available tools and software from vendor websites or GitHub repositories. The following table highlights tools of this nature that have been used by UNC3944.
Common Tools/Software Used by UNC3944
Data Exfiltration Tools
Internal Reconnaissance Tools
Lateral Movement Tools
Maintain Access Tools
Other Utilities
Privilege Escalation Tools
Scripting Tools
Web Browsers
Link to RSS feed
Determine your cyber defense effectiveness
Validated by ESG
Take The Assessment
Mandiant experts are ready to answer your questions.
© Copyright 2023 Mandiant. All rights reserved.