TLP White: NSA | APT5: Citrix ADC Threat Hunting Guidance - December 2022

Executive summary

APT5 has demonstrated capabilities against Citrix® Application Delivery Controller™ (ADC™) deployments (“Citrix ADCs”). Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls. As such, NSA, in collaboration with partners, has developed this threat hunting guidance to provide steps organizations can take to look for possible artifacts of this type of activity. Please note that this guidance does not represent all techniques, tactics, or procedures (TTPs) the actors may use when targeting these environments. This activity has been attributed to APT5, also known as UNC2630 and MANGANESE.

Introduction

NSA recommends organizations hosting Citrix ADC environments take the following steps as part of their investigation. Treat these detection mechanisms as independent ways of identifying potentially malicious activity on impacted systems. Artifacts may vary based on the environment and the stage of that activity. As such, NSA recommends investigating any positive result even if other detections return no findings.

Key Resources

Related Resources

Letter/Comment
AHA Letter to Senate Finance Committee for May 1 Hearing on Change Healthcare Cyberattack
Letter/Comment
AHA Letter to House E&C Subcommittee for May 1 Hearing on Change Healthcare Cyberattack
Advisory
Homeland Security Proposes New Cyber Incident Reporting Requirements
Member
Special Bulletin
UnitedHealth Group Provides Update on Data Impacted By Cyberattack
Member
Testimony
AHA House Statement on “Fiscal Year 2025 Department of Health and Human Services Budget”
Public
Testimony
AHA Testimony for Energy and Commerce Subcommittee Hearing on Cybersecurity