high_confidence

Cutting Edge

[Cutting Edge](https://attack.mitre.org/campaigns/C0029) was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. [Cutting Edge](https://attack.mitre.org/campaigns/C0029) targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. [Cutting Edge](https://attack.mitre.org/campaigns/C0029) featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024)(Citation: Volexity Ivanti Global Exploitation January 2024)(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge Part 3 February 2024)

Start date

1 December 2023

End date

1 February 2024

Techniques

Attributed actors

Sandworm Team· primary

Techniques (31)

collection4

T1056.001Keylogging

T1056.003Web Portal Capture

T1005Data from Local System

T1560.001Archive via Utility

command-and-control5

T1572Protocol Tunneling

T1205Traffic Signaling

T1095Non-Application Layer Protocol

T1105Ingress Tool Transfer

T1071.004DNS

credential-access4

T1003.001LSASS Memory

T1056.001Keylogging

T1056.003Web Portal Capture

T1003.003NTDS

defense-impairment1

T1685Disable or Modify Tools

discovery1

T1082System Information Discovery

execution2

T1059.006Python

T1059Command and Scripting Interpreter

initial-access2

T1078.002Domain Accounts

T1190Exploit Public-Facing Application

lateral-movement3

T1021.001Remote Desktop Protocol

T1021.002SMB/Windows Admin Shares

T1021.004SSH

persistence4

T1205Traffic Signaling

T1505.003Web Shell

T1078.002Domain Accounts

T1554Compromise Host Software Binary

privilege-escalation2

T1078.002Domain Accounts

T1055Process Injection

reconnaissance2

T1595.002Vulnerability Scanning

T1594Search Victim-Owned Websites

resource-development2

T1588.002Tool

T1584.008Network Devices

stealth7

T1070.006Timestomp

T1070.004File Deletion

T1205Traffic Signaling

T1078.002Domain Accounts

T1055Process Injection

T1070Indicator Removal

T1027.013Encrypted/Encoded File

Indicators of compromise

No IOCs linked to this campaign yet.