From 22bea56895a65dab6011dbe35fa38962570a0df9 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Wed, 27 Mar 2024 05:09:24 -0700
Subject: [PATCH] [threat-actors] Add UNC5174

---
 clusters/threat-actor.json | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 2e043cf..2a5d7dd 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -15496,6 +15496,20 @@
       },
       "uuid": "d9709373-7a3a-4905-8c90-ba74237e77ea",
       "value": "Saad Tycoon"
+    },
+    {
+      "description": "UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.",
+      "meta": {
+        "refs": [
+          "https://rhisac.org/threat-intelligence/f5-big-ip-and-screenconnect-cves/",
+          "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect"
+        ],
+        "synonyms": [
+          "Uteus"
+        ]
+      },
+      "uuid": "0b158297-ee47-48ef-9346-0cb0f9cb348a",
+      "value": "UNC5174"
     }
   ],
   "version": 305