After a months-long investigation dating back to mid-2024, Mandiant publishes its findings on a covert espionage campaign by the China-linked actor (UNC3886), which deployed custom malware on decommissioned Juniper Networks Junos OS routers.
Mandiant worked with Juniper Networks to investigate UNC3886's activities and found that the affected Juniper MX routers targeted by the group were running outdated hardware and software. The custom malware samples used by UNC3886 demonstrate that the threat actor has extensive knowledge of far-reaching system internals. Mandiant recommends that organizations update their Juniper devices to the latest released images to mitigate risks and obtain updated signatures for the Juniper Malware Removal Tool (JMRT). Organizations should run the JMRT Quick Scan and Integrity Check after upgrading.
Details on Juniper espionage
- UNC3886 uses its own malware ecosystem: Mandiant found six different malware variants deployed on several decommissioned Juniper MX routers. Each of these variants is a modified version of the TINYSHELL backdoor, allowing attackers to gain access to these devices and persist for extended periods. These include active and passive backdoors, as well as an embedded script that disables logging mechanisms, thus obscuring security monitoring systems.
- Veriexec, the integrated security mechanism of Junos OS: Mandiant has found no evidence of successful exploitation and bypass of Veriexec techniques already incorporated by Juniper in supported software and hardware. However, aside from the novel process injection technique described in the blog, the infections on the compromised EOL Juniper MX routers indicate that the threat actor successfully deployed executable backdoors. The attacker has root access to the affected devices.
- Changed tactics, techniques and procedures Threat actor's TTPs (Tactics, Techniques, and Procedures): While UNC3886 has previously focused on network edge devices, this recent activity demonstrates that the group is also targeting internal network infrastructure such as Internet service provider routers, which could have significant implications if successful. Mandiant and Juniper Networks recommend that organizations update their network devices to current versions with the latest security patches released by Juniper Networks.
About Mandiant Mandiant is a recognized leader in dynamic cyber defense, threat intelligence and incident response. With decades of experience on the cyber frontline, Mandiant helps organizations confidently and proactively defend against cyber threats and respond to attacks. Mandiant is now part of Google Cloud.