Mandiant discovered an espionage campaign of a China-based threat group dating back to April 2022.
This group, which Mandiant tracks as UNC4191, uses three types of malware families that continue replicating by infecting new removable USB drives that are plugged into a compromised system.
This allows the malware to spread to additional systems and potentially collect data from air-gapped systems (systems not connected to the internet).
According to the Mandiant research, the espionage campaign of UNC4191 is a Chinese state-based operation.
Mandiant’s researchers say, “China’s regional geopolitical and economic objectives and maritime territorial sovereignty are likely drivers for activity against this region.”
Mandiant’s experts believe UNC4191 operates “to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests.”
Specifically, Mandiant’s observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant.
For example, even when targeted organisations were based in other locations, Mandiant highlights that the specific systems targeted by UNC4191 were also found to be physically located in the Philippines.
The full research details can be found here.