A group of Chinese hackers carried out coordinated cyberattacks on Israel that affected dozens of Israeli government and private organizations, according to a report released by U.S. security company FireEye on Aug. 10.
FireEye, which worked alongside Israeli defense agencies in probing the cyberattacks, noted that it didn’t have sufficient evidence to link the Chinese espionage group known as UNC215 to the Chinese communist regime. However, it noted that the group targets data and organizations that are of “great interest to Beijing’s financial, diplomatic, and strategic objectives.”
UNC215 is a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014, the report states.
In early 2019, the group exploited a Microsoft SharePoint vulnerability and used custom malware tools known as FOCUSFJORD and HYPERBRO. The hackers then stole users’ credentials and conducted internal network reconnaissance.
The group took steps to deliberately mislead researchers and attempted to hide their nationality. They tried using methods such as planting Farsi in the parts of code that could be recovered by incident response teams and using malware tools linked to Iranian groups that had previously been leaked online, FireEye said.
“The use of Farsi strings, file paths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran,” the report reads.
“We have seen, historically, a few false flag attempts. We saw one during the Olympics in South Korea,” he explained. ”There might be several reasons why a threat actor wants to do a false flag—obviously, it makes the analysis a bit more complex.”
The report noted that the targeted attacks came against the backdrop of China’s multibillion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector.
“China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions, [including] political, economic, and security,” FireEye stated.
The company stated that it expects Beijing will “continue targeting governments and organizations involved in these critical infrastructure projects.”
“Their goal isn’t necessarily always to steal intellectual property. It’s possible that they’re actually looking for business information,” Yashar said. ”In the Chinese view, it’s legitimate to attack a company while negotiating with it, so they will know how to price the deal properly.”
Cybersecurity has become a key priority for the Biden administration following a string of high-profile attacks in recent months, including network management company SolarWinds, the Colonial Pipeline company, meat processing firm JBS, and software company Kaseya.
