Isabel van Brugen | New Tang Dynasty
A group of Chinese hackers carried out coordinated cyberattacks on Israel that affected dozens of Israeli government and private organizations, according to a report from U.S. security company FireEye released Tuesday.
Israeli government institutions, IT providers and telecommunications firms were targeted by the group in a widespread espionage campaign that began in January 2019, the California-based cybersecurity firm said in its report, noting that the hackers carried out data harvesting and reconnaissance.
FireEye, which worked alongside Israeli defence agencies in probing the cyberattacks, noted that it did not have sufficient evidence to link the Chinese espionage group, called UNC215, to the Chinese communist party regime. It added, however, that the group targets data and organizations which are of “great interest to Beijing’s financial, diplomatic, and strategic objectives.”
UNC215 is a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014, the report states.
In early 2019, the group exploited a Microsoft SharePoint vulnerability, and used custom malware tools, called FOCUSFJORD and HYPERBRO. The hackers then stole users’ credentials and conducted internal network reconnaissance.
The group took steps to deliberately mislead researchers, and attempted to hide their nationality. They tried to do this by using methods such as planting Farsi in the parts of code which could be recovered by incident response teams, and using malware tools linked to Iranian groups that had previously been leaked online, FireEye said.
“The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran,” the company’s report said.
Jens Monrad, who leads the work of FireEye’s threat intelligence division Mandiant in EMEA, told Sky News that the group’s attempt to mask their nationality was “a little bit unusual.”
“We have seen historically a few false flag attempts. We saw one during the Olympics in South Korea,” he explained. “There might be several reasons why a threat actor wants to do a false flag—obviously it makes the analysis a bit more complex.”
The report noted that the targeted attacks came against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector.
BRI is the Chinese regime’s multi-trillion-dollar infrastructure scheme launched in 2013 to expand its trade and political influence throughout Asia, Africa, and Europe. Critics have argued that BRI has put developing countries into “debt traps.”
“China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions [including] political, economic, and security,” FireEye said.
The company said that it expects Beijing will “continue targeting governments and organizations involved in these critical infrastructure projects.”
Sanaz Yashar, who headed FireEye’s research into Israeli targets, told Haaretz that may Israeli companies are involved in the fields that are at the core of Chinese interests, as reflected in their five-year plans.
“Their goal isn’t necessarily always to steal intellectual property; it’s possible that they’re actually looking for business information,” said Yashar. “In the Chinese view, it’s legitimate to attack a company while negotiating with it, so they will know how to price the deal properly.”
The report comes just weeks after President Joe Biden signed a memorandum that seeks to bolster the United States’ critical infrastructure against cyberattacks.
The president warned on July 27 that if the United States ended up in a “real shooting war” with a “major power,” it could come in response to a significant cyber attack.
Cybersecurity has become a key priority for the Biden administration following a string of high-profile attacks in recent months, including network management company SolarWinds, the Colonial Pipeline company, meat processing firm JBS, and software company Kaseya.