Thought Leadership
Following an intensive investigation dating back to mid-2024, the security company Mandiant has uncovered a covert espionage campaign by the China-linked group UNC3886. Specially developed malware was discovered on decommissioned Junos OS routers from Juniper Networks.
Mandiant worked closely with Juniper Networks and determined that the affected Juniper MX routers were running outdated hardware and software. The investigation revealed that UNC3886 had a deep understanding of the internal structures of these systems and was exploiting this knowledge.
The discovered malware is part of an extensive ecosystem that includes six different variants. These are modified versions of the TINYSHELL backdoor, which enable attackers to gain permanent access to the devices. Particularly perfidious: In addition to active and passive backdoors, there is an embedded script that deactivates the logging mechanisms and thus bypasses security monitoring.
Despite these sophisticated attack methods, Mandiant found no evidence that UNC3886 was able to successfully bypass Junos OS’s Veriexec security mechanism. Nevertheless, the attacker was able to gain root access on the compromised end-of-life (EOL) Juniper MX routers and install malicious backdoors.
One alarming aspect of this campaign is the strategic evolution of UNC3886. While the group has previously focused on network edge devices, this new activity shows that internal network infrastructures are now also being targeted – particularly ISP routers. A successful attack could have a serious impact on global networks.
Mandiant and Juniper Networks are urging companies to update their Juniper devices to the latest software versions in order to close security gaps. Companies should also use the Juniper Malware Removal Tool (JMRT) after the update and run both the Quick Scan and the Integrity Check.
Juniper Networks customers are strongly advised to review the latest security advisories and implement all suggested protective measures. The Mandiant disclosures once again underscore the importance of regular updates and proactive security measures in today’s threat landscape.
Further information:
The full report on the Google Cloud Blog contains a detailed analysis of the malware, Indicators of Compromise (IOCs) and additional recommendations for securing the network infrastructure.
(vp/Mandiant/Google Cloud)
