Security News > 2022 > May > Cyberspies use IP cameras to deploy backdoors, steal Exchange emails
A newly discovered and uncommonly stealthy Advanced Persistent Threat group is breaching corporate networks to steal Exchange emails from employees involved in corporate transactions such as mergers and acquisitions.
Mandiant researchers, who discovered the threat actor and now track it as UNC3524, say the group has demonstrated its "Advanced" capabilities as it maintained access to its victims' environments for more than 18 months.
"Once UNC3524 successfully obtained privileged credentials to the victim's mail environment, they began making Exchange Web Services API requests to either the on-premises Microsoft Exchange or Microsoft 365 Exchange Online environment," Mandiant said.
"In each of the UNC3524 victim environments, the threat actor would target a subset of mailboxes, focusing their attention on executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff."
After gaining access and deploying its backdoors, UNC3524 obtained privileged credentials to their victims' mail environment and started targeting on-premises Microsoft Exchange or Microsoft 365 Exchange Online mailboxes via Exchange Web Services API requests.
They usually steal all emails received by "Executive teams and employees that work in corporate development, mergers and acquisitions, or IT security staff" over a specific date range instead of picking emails of interest or using keyword-filtering.