Mandiant has linked a series of attacks against Israeli institutions and private companies since 2019 to a known Chinese cyber espionage group.
FireEye’s Mandiant threat intelligence team revealed that a Chinese operation it tracks as “UNC215” has been targeting Israeli government institutions, IT providers, and telecommunications companies since 2019. The group has been active since at least 2014 targeting various entities around the world.
FireEye linked the UNC215 group with low confidence to an advanced persistent threat (APT) known as APT27, Iron Tiger, or Emissary Panda.
“UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors,” FireEye’s Israel and U.S. threat intel teams said in a report published today.
“The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic, and strategic objectives,” the findings reflecting a relentless appetite for defense-related secrets among hacking groups.
The group’s first attack was launched using a vulnerability in Microsoft’s SharePoint platform. It exploited the issue (CVE-2019-0604) to launch targeted payloads, web shells, and FOCUSFJORD payloads designed to infiltrate government and academic networks in the Middle East.
FOCUSFJORD (HyperSSL and Sysupdate) is a backdoor used by Emissary Panda to perform various malicious tasks. After gaining initial access to a network, the adversary carries out a series of actions to gather information, steal credentials, and execute actions designed to spread within the target network.
“China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions—political, economic, and security—and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term,” the Mandiant team said.
The attackers try to hide their C2 infrastructure by creating false flags, cleaning traces of residual forensic artifacts, and using other victim networks to proxy their C2 instructions.
The threat actor is constantly improving the FOCUSFJORD backdoor in response to security vendor reports.
In a 2019 operation against a government network in Israel, UNC215 was able to access the primary target via remote desktop protocol (RDP) connections and remotely execute the FOCUSFJORD malware.
“The activity […] demonstrates China’s consistent strategic interest in the Middle East,” the researchers concluded. “This cyber espionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israeli’s robust technology sector.”