John Palmisano

Across the Seven Seas: Unmasking a Global Espionage Campaign

In this talk, we unveil the intricacies of a sophisticated 8-month-long global espionage campaign that targeted government agencies and private sector companies across the world. By exploiting widely-used Email Security Gateways (ESG), the campaign left organizations vulnerable to espionage by UNC4841, a suspected Chinese actor operating in support of the People’s Republic of China.

For the first time, we will provide an inside look into the tactics, targeting, and tricks employed by UNC4841 during this espionage operation. Commencing in October 2022, the actor launched targeted attacks utilizing malicious emails cleverly disguised low quality spam emails to exploit a zero-day in ESG appliances. . The actor employed These code families deceptively masqueraded as legitimate modules of the Email Security Gateway, enabling UNC4841 to gain initial access and establish a persistent presence on compromised appliances.

Throughout the 8-month duration, UNC4841 showcased remarkable sophistication, adaptability, responsiveness, and understanding of the appliance itself. Their activities leveraging the compromised appliances for extremely targeted data exfiltration, as well as lateral movement into victims networks. As the investigation progressed, the sophistication of UNC4841’s activities necessitated a collaborative effort between our team, the company impacted as well as US law enforcement.

By attending this talk, participants will gain insights into the modus operandi of UNC4841, the far-reaching consequences of the campaign, and the collaborative efforts involved in burning this espionage operation. We will discuss the broader implications of cyber espionage on national security, highlight key findings from the investigation, and provide actionable recommendations for bolstering defenses against similar threats in the future.

John Palmisano is a Manager within Mandiant’s incident response practice, providing emergency as well as proactive services to a broad range of organizations. As a leader of incident response engagements, John has extensive experience with enterprise-wide incident response and has led engagements ranging from advanced persistent threats to ransomware. Prior to joining Mandiant, John held a series of roles spanning incident response, security operations, digital forensics and vulnerability management across both public and private sector environments.

John holds a BSc from Miami University (Ohio) as well as a Masters in Business Administration from Georgetown University.