Cyber Threat Actor: UNC1802
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
UNC1802 is a threat actor that is referenced in public reporting under the alias UNC1802. The actor has been associated with operations originating from the United States of America. One publicly documented incident involving UNC1802 took place at the University of Northern Colorado. The security breach at the university was discovered on February 5, 2018. During the incident, unauthorized individuals succeeded in accessing the institution's online portal by using the accounts of employees. The attackers obtained the employees' Social Security numbers from external sources and used those numbers to reset the passwords for the compromised accounts. After resetting the passwords, the attackers logged into the portal and proceeded to download electronic W2 forms that contained sensitive financial information. The university's investigation determined that the breach originated from outside its internal networks and found no evidence that internal data exposure had facilitated the initial account takeover.
No indication was found that the university's own systems had contributed to the attackers' ability to take over the employee accounts. The observed targeting in this case involves a higher education institution located within the United States. The geographic focus of the activity observed for UNC1802 is therefore confined to the United States. The tactics demonstrated by the actor rely on the acquisition of personally identifiable information from outside the victim environment, specifically Social Security numbers, which are then employed to trigger password reset mechanisms. The attackers leveraged the reset credentials to gain authenticated access to the online portal and exfiltrate tax‑related documents. No reference to specific malware families, custom exploit tools, or particular tooling styles appears in the available reporting. The outcome of the incident was the unauthorized collection of W2 forms rather than an attempt to cause disruption or to gather intelligence for espionage purposes. Attribution of UNC1802 to a state‑sponsored group or to a known criminal consortium has not been established in public sources. As a result, the actor is presently characterized as a credential‑theft operation that is limited to the details of the reported case. Additional public information concerning further campaigns, associated infrastructure, or other victims of UNC1802 has not been disclosed.
