Cyber-espionage outfit UNC215, based in China, is responsible for a number of attacks against Israeli businesses, according to security experts. Since 2019, IT services, government institutions, and telecommunications corporations have been targeted by these attacks.
What transpired?
Researchers have a low degree of confidence that the UNC215 threat group is tied to APT27 (aka Iron Tiger), which has been active since 2014.
- In addition to entertainment, government, technology, and telecommunications, the group has also targeted the financial and defense industries.
- Groups associated with Beijing’s financial, diplomatic and strategic goals are targeted. This suggests that the threat organization has a keen interest in Israel’s technology industry.
- Web shells and FOCUSFJORD payloads were used by UNC215 to infiltrate government and academic networks to launch a series of cyber-attacks.
- Targets in the Middle East and Central Asia were the targets of these early attacks.
The attack cycle
For early access, hackers exploited a vulnerability in SharePoint (CVE-2019-0604). They then followed a set methodology for credential harvesting and internal reconnaissance (through web shells) in order to detect crucial systems within the targeted network
- As the attacks progressed, significant efforts were made to make detection more difficult through the removal of forensic artifacts from infected PCs, as well as improvements to the FOCUSFJORD backdoor program.
- The threat group also installed a unique implant called HyperBro. This implant has a number of characteristics, including a keylogger and screen-capture capabilities.
- They also used victim networks with C2 instructions to hide the operators’ C2 infrastructure. False flags were planted to deceive the attribution of threat actors, and they succeeded.
- For the first time in April of this year, the organization used SEASHARPEE, a web shell associated with Iranian APT. Over the course of eight years, the group misled investigators by claiming to be Iranians.
The Chinese cyber espionage actions in the Middle East and Central Asia, according to some experts, could be a way for the country to protect its massive investments in the Belt and Road Initiative (BRI) in those regions. UNC215 is likely to continue its attacks on crucial infrastructure in Israel and the Middle East as the project advances.
To read more, please check eScan Blog
