Research: Cyberattacks attributed to Chinese intelligence target Israeli security organizations
Cyber intelligence company FireEye published research attributing cyberattacks against Israeli organizations, including security-related ones, to Chinese intelligence. The activity is said to be aimed at obtaining Israeli technology and furthering the political interests of Beijing
Ami Rojkes Dombe
| 12/08/2021
http://english.www.gov.cn
Cyber intelligence company FireEye published a report attributing offensive cyber activity in Israel to Chinese intelligence. The researchers call the Chinese group UNC215. The attack campaign exploited known vulnerabilities in Microsoft SharePoint in order to install web shells which were then used to inject malware called FOCUSFJORD.
"Between 2019 and 2020, Mandiant responded to several incidents," the report said. "After gaining initial access, the operators conduct credential harvesting and extensive internal network reconnaissance. This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory, and scanning the internal network with numerous publicly available tools and a non-public scanner we named WHEATSCAN. The operators made a consistent effort to delete these tools and remove any residual forensic artifacts from compromised systems."
The attackers also installed the web shells in Outlook Web Access Servers, and afterwards interacted with them remotely. "After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD," the report said. The group also used a tool called HYPERBRO for screen capture and keylogging.
Another interesting aspect found by the research was the attempt by the attackers to impersonate others (called false flag). "Linguistic analysis suggests that these terms were auto translated as they are not commonly used by native Farsi speakers," the report said regarding text that the attackers used in an attack in Kazakhstan. In other words, it is evidence that cyberattackers, as expected, use tactics to attribute the incident to others (by the way, cyberattacks in Israel are almost automatically attributed to Iran).
According to the report, the hacker group operated in Israel, Iran, the United Arab Emirates, Kazakhstan and other countries. The report attributes the Chinese activity in Israeli cyberspace to investments that China is making in Israel under its "Belt and Road Initiative", as well as to China's desire for Israeli technology. "As China’s BRI moves westward, its most important construction projects in Israel are the railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa," the researchers wrote.
"In addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region."
Cyber intelligence company FireEye published research attributing cyberattacks against Israeli organizations, including security-related ones, to Chinese intelligence. The activity is said to be aimed at obtaining Israeli technology and furthering the political interests of Beijing
http://english.www.gov.cn
Cyber intelligence company FireEye published a report attributing offensive cyber activity in Israel to Chinese intelligence. The researchers call the Chinese group UNC215. The attack campaign exploited known vulnerabilities in Microsoft SharePoint in order to install web shells which were then used to inject malware called FOCUSFJORD.
"Between 2019 and 2020, Mandiant responded to several incidents," the report said. "After gaining initial access, the operators conduct credential harvesting and extensive internal network reconnaissance. This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory, and scanning the internal network with numerous publicly available tools and a non-public scanner we named WHEATSCAN. The operators made a consistent effort to delete these tools and remove any residual forensic artifacts from compromised systems."
The attackers also installed the web shells in Outlook Web Access Servers, and afterwards interacted with them remotely. "After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD," the report said. The group also used a tool called HYPERBRO for screen capture and keylogging.
Another interesting aspect found by the research was the attempt by the attackers to impersonate others (called false flag). "Linguistic analysis suggests that these terms were auto translated as they are not commonly used by native Farsi speakers," the report said regarding text that the attackers used in an attack in Kazakhstan. In other words, it is evidence that cyberattackers, as expected, use tactics to attribute the incident to others (by the way, cyberattacks in Israel are almost automatically attributed to Iran).
According to the report, the hacker group operated in Israel, Iran, the United Arab Emirates, Kazakhstan and other countries. The report attributes the Chinese activity in Israeli cyberspace to investments that China is making in Israel under its "Belt and Road Initiative", as well as to China's desire for Israeli technology. "As China’s BRI moves westward, its most important construction projects in Israel are the railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa," the researchers wrote.
"In addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region."
