A long-running campaign, Israeli targets, and China-based hackers.

What’s up?

A China-based hacker group UNC215 targeted government institutions and other organizations in Israel. The campaign was initiated in 2019. While the group’s TTPs are somewhat similar to that of the China-linked APT27, no strong evidence was found to pronounce the threat actors as the same. In addition to this, the group is pretending to be an Iranian threat actor.

The act and the actor

UNC215 used new TTPs to evade detection and attribution, implement false flags, and exploit trusted relationships for lateral propagation. As per Mandiant, the threat actor is still active.
  • The threat actor’s post-intrusion activities include performing credential harvesting and internal network reconnaissance.
  • The group attempted to thwart network defenders by sweeping off evidence of intrusion and technically altering tools to restrict outbound network traffic.
  • UNC215 has compromised organizations operating in the technology, government, defense, entertainment, finance, technology, healthcare, and telecom sectors.

Recent activities by China-linked threat actors

This is not the only China-linked threat that was observed recently. The month already witnessed two large-scale operations.
  • A China-linked cyberespionage group was found targeting ICS in Southeast Asia.
  • The China-based GhostEmperor gang was spotted targeting flaws in Microsoft Exchange Servers.

The bottom line

This attack campaign demonstrates China’s interest in Middle Eastern targets. UNC215 is an extremely sophisticated actor and has spent considerable effort to evade detection by network defenders. Researchers anticipate that the group will continue its campaigns against critical infrastructure projects in the Middle East.

Cyware Publisher