UNC6426
Intelligence Profile
UNC6426 exploited a supply chain compromise of the nx npm package to steal a developer's GitHub Personal Access Token and gain access to a victim's cloud environment. They abused the GitHub-to-AWS OpenID Connect trust to create a new administrator role, leveraging overly permissive permissions associated with the compromised GitHub-Actions-CloudFormation role. Using the legitimate open-source tool Nord Stream, UNC6426 conducted reconnaissance and extracted secrets from CI/CD environments, leading to the exfiltration of files from AWS S3 buckets and data destruction. The actor escalated to full AWS administrator permissions in under 72 hours.
Threat Analysis
UNC6426 is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.