SYMBOLCOMMON_NAMEaka. SYNONYMS

UNC215  (Back to overview)


UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.


Associated Families
asp.twoface

References
2022-07-18Palo Alto Networks Unit 42Unit 42
Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig
2021-12-14Recorded FutureInsikt Group
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace ASPXSpy SharPyShell
2021-12-14Recorded FutureInsikt Group®
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace
2021-09-21eSentireeSentire
Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups
Cobalt Strike MimiKatz UNC215
2020-11-27PTSecurityAlexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz
2020-09-25Emanuele De Lucia
APT vs Internet Service Providers
TwoFace RGDoor
2020-06-18Australian Cyber Security CentreAustralian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader
2020-03-12Recorded FutureInsikt Group
Swallowing the Snake’s Tail: Tracking Turla Infrastructure
TwoFace Mosquito
2020-01-01FireEyeMandiant, Mitchell Clarke, Tom Hall
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL
2020-01-01SecureworksSecureWorks
COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2019-08-22CywareCyware
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT
2019-07-08SANSJosh M. Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace
TwoFace
2019-04-17Malware Reversing BlogF-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage
2019-02-13Youtube (SANS Digital Forensics & Incident Response)Josh Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace
2018-07-07Youtube (SteelCon)Dan Caban, Muks Hirani
You’ve Got Mail!
TwoFace
2017-12-11Palo Alto Networks Unit 42Robert Falcone
OilRig Performs Tests on the TwoFace Webshell
TwoFace
2017-07-31Palo Alto Networks Unit 42Bryan Lee, Robert Falcone
TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig

Credits: MISP Project