UNC1945 is a threat group active since 2018 and is known to target telecommunication companies and a set of targets within the financial and professional consulting industries by leveraging access to third-party networks and Trusted Relationships.

The group uses SSH External Remote Services for Initial Access.

According to the reports, the group compromised SSH servers and advertised on underground forums remote access to the infected servers, providing evidence that threat actors are selling direct access to External Remote Services to compromised servers as-a-service.

UNC1945 obtained and maintained Persistence to the victim’s external infrastructure using SSH Port Forwarding even when the host was no longer exposed to the internet directly.

UNC1945 obtained credentials and Private Keys to enable Lateral Movement in networks and obtain access to other segments of the network and third-party environments. The stolen credentials and keys were used to traverse the compromised network via SSH and deploy further malware.

The group was also reported to use Code Signing certificates to sign their tools.

Techniques Used

Domain ID Name Use
Enterprise VT0002 External Remote Services

The group compromised SSH External Services for Initial Access and enabled Port Forwarding to maintain Persistence

Enterprise VT0020 .001 Remote Services: SSH

The group uses SSH Remote Services for Lateral Movement within the network and to third party networks and for Persistence on the network, by enabling Port Forwarding.

Enterprise VT0016 .002 Subvert Trust Controls: Code Signing

UNC1945 uses Code Signing certificates to sign its tools

Enterprise VT0017 .004 Unsecured Credentials: Private Keys

The group compromised credentials and private keys to enable Lateral Movement and sign into Valid Accounts

Enterprise VT0005 Valid Accounts

The group used credentials and private keys to sign into valid accounts



Created: 09 May 2021

Last Modified: 09 May 2021