UNC6426

Also known as: UNC6426

UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer’s GitHub Personal Access Token and gain access to a victim’s cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.

Introduction

UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer’s GitHub Personal Access Token and gain access to a victim’s cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.

Activities and Tactics

Information pending cataloguing.

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • StreamEx
  • CloudDuke
  • Xploit

Attribution and Evidence

Information pending cataloguing.

References

References pending cataloguing.