Chinese espionage group UNC3886 targets Juniper routers

A report from Google Cloud’s Mandiant threat intelligence unit has revealed that the Chinese state-sponsored espionage group UNC3886 successfully compromised Juniper Networks routers running Junos OS.

The attack, discovered in mid-2024, involved the deployment of six distinct, yet related, malware samples, all based on the open source TinyShell backdoor. This latest campaign marks an evolution in UNC3886’s tactics, techniques and procedures (TTPs), showcasing its deep understanding of Junos OS internals and ability to gain long-term, stealthy network access.

The targeted routers were running end-of-life hardware and software, underscoring the risk organisations face when failing to maintain updated systems. In its report, Mandiant stressed the urgency of patching vulnerable systems and implementing robust security monitoring.

The deployed backdoors had diverse capabilities, ranging from active and passive backdoor functionality to an embedded script designed to disable logging mechanisms on the compromised devices. This allowed UNC3886 to maintain a persistent presence within victim networks while minimising the risk of detection.

One notable aspect of the attack was the group’s ability to circumvent Juniper’s Verified Exec (veriexec) security feature. Veriexec prevents unauthorised code execution, but Mandiant discovered that UNC3886 used a sophisticated process injection technique to inject malicious code into legitimate processes, effectively bypassing this important security layer.

This involved leveraging a “here document” feature to create a base64 encoded file, which was then decoded, decompressed and used to deliver the malicious payloads, reflecting UNC3886’s advanced technical capabilities and its willingness to develop novel methods to overcome security obstacles.

Mandiant’s analysis indicated that UNC3886 gained initial access via compromised network authentication services and through terminal servers with access to the routers. This allowed it to acquire legitimate credentials and move laterally within the targeted network.

Mandiant’s analysis also revealed that each malware sample was tailored to target Junos OS-specific features. Some of the malware variants focused on active communication with command-and-control servers, while others employed a passive listening mode, waiting for commands embedded within network traffic.

The report further detailed how UNC3886 used the compromised routers’ underlying FreeBSD operating system. They gained access to the csh shell and leveraged standard utilities such as dd, mkfifo and cat to carry out malicious activities, including process injection and manipulation of system files. The use of these common tools can make detection more challenging, as it blends malicious activity with legitimate system processes.

With this latest campaign, UNC3886 appeared to have expanded its targets from primarily network edge devices to internal network infrastructure. While no evidence of data staging or exfiltration was found in this instance, Mandiant warned that the compromise of routing devices presents a significant risk, potentially allowing adversaries to carry out more disruptive actions in future.

Amid these findings, Mandiant urged organisations to take immediate steps to mitigate the risks posed by UNC3886 and similar threats. These include upgrading Juniper devices to the latest software versions, implementing multifactor authentication and granular access control, and improving network monitoring and vulnerability management practices. Mandiant also called for organisations to leverage threat intelligence to continually evaluate and improve the effectiveness of security controls against emerging threats.