UNC215, a Chinese cyber-espionage group, is behind multiple intrusion activities aimed at Israeli organizations, revealed experts. These attacks have been targeting IT services, government institutions, and telecommunications firms since 2019.
What happened?
FireEye's Mandiant threat intelligence has linked the UNC215 threat group with low confidence to an APT identified as APT27 (aka Iron Tiger), which has been active since 2014.
- The group has targeted multiple organizations operating in numerous sectors such as entertainment, government, technology, telecommunications, finance, defense, and healthcare.
- The group targets the organizations aligned with the interest of Beijing's financial, diplomatic, and strategic objectives. The findings indicate that the threat group has a great interest in Israel’s technology sector.
- UNC215 infiltrated government/academic networks to deploy web shells and FOCUSFJORD payloads.
- These early attacks were aimed at targets in the Middle East and Central Asia.
The attack cycle
For initial access, hackers exploited a SharePoint vulnerability (CVE-2019-0604). After that, the group followed a fixed pattern for credential harvesting and internal reconnaissance (via web shells) to detect important systems within the targeted network.
- Each phase of the attacks had notable efforts to make detection harder by removing any traces of forensic artifacts from infected machines, along with improving the FOCUSFJORD backdoor.
- Further activities of the threat group involved the installation of a custom implant known as HyperBro. This implant comes with multiple features such as a keylogger and screen capture.
- Moreover, the operators hid their C2 infrastructure by using victim networks with the proxy of C2 instructions. They planted false flags to mislead the attribution of threat actors.
- In April 2019, the group used the SEASHARPEE web shell that is linked with Iranian APT groups. For about eight years, the group misled forensic analysis by purporting to be Iranian actors.
Final words
Some experts suggest that the Chinese cyberespionage activities in the Middle East and Central Asia may be the steps to safeguard China’s huge investments in the Belt and Road (BRI) initiative in those regions. And as the project progresses, espionage groups such as UNC215 are expected to continue their attacks aimed at critical infrastructure in Israel and the Middle East.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/2ebd_shutterstock_1476787178.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_477920986.jpg)
