UNC215 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

UNC215 (Back to overview)

UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.

Associated Families

asp.twoface

References

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Evasive Serpens
TwoFace ISMAgent ISMDoor OopsIE RDAT OilRig

2021-12-14 ⋅ Recorded Future ⋅ Insikt Group
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace ASPXSpy SharPyShell

2021-12-14 ⋅ Recorded Future ⋅ Insikt Group®
Full Spectrum Detections for 5 Popular Web Shells: Alfa, SharPyShell, Krypton, ASPXSpy, and TWOFACE
TwoFace

2021-09-21 ⋅ eSentire ⋅ eSentire
Ransomware Hackers Attack a Top Safety Testing Org. Using Tactics and Techniques Borrowed from Chinese Espionage Groups
Cobalt Strike MimiKatz UNC215

2020-11-27 ⋅ PTSecurity ⋅ Alexey Vishnyakov, Denis Goydenko
Investigation with a twist: an accidental APT attack and averted data destruction
TwoFace CHINACHOPPER HyperBro MegaCortex MimiKatz

2020-09-25 ⋅ Emanuele De Lucia
APT vs Internet Service Providers
TwoFace RGDoor

2020-06-18 ⋅ Australian Cyber Security Centre ⋅ Australian Cyber Security Centre (ACSC)
Advisory 2020-008: Copy-Paste Compromises –tactics, techniques and procedures used to target multiple Australian networks
TwoFace Cobalt Strike Empire Downloader

2020-03-12 ⋅ Recorded Future ⋅ Insikt Group
Swallowing the Snake’s Tail: Tracking Turla Infrastructure
TwoFace Mosquito

2020-01-01 ⋅ FireEye ⋅ Mandiant, Mitchell Clarke, Tom Hall
Mandiant IR Grab Bag of Attacker Activity
TwoFace CHINACHOPPER HyperBro HyperSSL

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig

2019-08-22 ⋅ Cyware ⋅ Cyware
APT34: The Helix Kitten Cybercriminal Group Loves to Meow Middle Eastern and International Organizations
TwoFace BONDUPDATER POWRUNER QUADAGENT Helminth ISMAgent Karkoff LONGWATCH OopsIE PICKPOCKET RGDoor VALUEVAULT

2019-07-08 ⋅ SANS ⋅ Josh M. Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace
TwoFace

2019-04-17 ⋅ Malware Reversing Blog ⋅ F-Secure Global
The Dukes: 7 Years Of Russian Cyber-Espionage
TwoFace BONDUPDATER DNSpionage

2019-02-13 ⋅ Youtube (SANS Digital Forensics & Incident Response) ⋅ Josh Bryant, Robert Falcone
Hunting Webshells: Tracking TwoFace - SANS Threat Hunting Summit 2018
TwoFace

2018-07-07 ⋅ Youtube (SteelCon) ⋅ Dan Caban, Muks Hirani
You’ve Got Mail!
TwoFace

2017-12-11 ⋅ Palo Alto Networks Unit 42 ⋅ Robert Falcone
OilRig Performs Tests on the TwoFace Webshell
TwoFace

2017-07-31 ⋅ Palo Alto Networks Unit 42 ⋅ Bryan Lee, Robert Falcone
TwoFace Webshell: Persistent Access Point for Lateral Movement
TwoFace OilRig

Credits: MISP Project