Unc3810

Malware updated 7 months ago (2024-05-04T21:18:51.023Z)
Download STIX
Preview STIX
UNC3810 is a malware identified and tracked by cybersecurity firm Mandiant, notorious for its deployment of CaddyWiper in October 2022. This malicious software is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites. The threat actor, initially tracked as UNC3810 before being merged with Sandworm, has been associated with Russia's Main Intelligence Directorate (GRU) since 2009, primarily targeting Ukraine. It employs OT-level living off the land (LotL) techniques, which involve using legitimate tools already present on the target system to carry out malicious activities. A significant incident involving UNC3810 occurred when the 'CyberArmyofRussia_Reborn' persona boasted about a wiper attack on Telegram, claiming responsibility for the disruptive operation. The attack was allegedly perpetrated by a GRU operator codenamed UNC3810, utilizing the CaddyWiper malware. However, due to a series of operator errors, UNC3810 was unable to complete the wiper attack before the boastful Telegram post, indicating premature celebration. Mandiant's investigation revealed that the 'CyberArmyofRussia_Reborn' significantly exaggerated the success of the wiper attack. Technical artifacts from UNC3810’s intrusion indicate that the attack was not as successful as claimed. The Telegram post, in fact, preceded CaddyWiper's execution by 35 minutes, thereby undermining CyberArmyofRussia_Reborn's repeated claims of independence from the GRU. These findings highlight the complex relationship between UNC3810, the GRU, and the 'CyberArmyofRussia_Reborn', revealing a web of misinformation and cyber warfare.
Description last updated: 2024-05-04T20:18:59.221Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sandworm is a possible alias for Unc3810. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which c
2
CaddyWiper is a possible alias for Unc3810. CaddyWiper is a destructive malware, a type of malicious software designed to exploit and damage computer systems. It was one of several malwares deployed against Ukraine starting in January 2022 by the Russian Advanced Persistent Threat (APT) group, alongside others such as WhisperGate, HermeticWip
2
Cyberarmyofrussia_reborn is a possible alias for Unc3810. CyberArmyofRussia_Reborn is a threat actor with suspected links to the GRU, Russia's main intelligence agency. This group has been associated with several high-profile cyberattacks, including those on US and Polish water utilities and a French dam. The group uses its Telegram channel to leak stolen
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Telegram
Wiper
Mandiant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Unc3810 Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more