A group of Chinese hackers carried out coordinated cyberattacks on Israel that affected dozens of Israeli government and private organizations, according to a report released by U.S. security company FireEye on Aug. 10.
Israeli government institutions, IT providers, and telecommunications firms were targeted by the group in a widespread espionage campaign that began in January 2019, the California-based cybersecurity firm stated in the report, noting that the hackers carried out data harvesting and reconnaissance.
FireEye, which worked alongside Israeli defense agencies in probing the cyberattacks, noted that it didn’t have sufficient evidence to link the Chinese espionage group known as UNC215 to the Chinese communist regime. However, it noted that the group targets data and organizations that are of “great interest to Beijing’s financial, diplomatic, and strategic objectives.”
UNC215 is a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014, the report states.
In early 2019, the group exploited a Microsoft SharePoint vulnerability and used custom malware tools known as FOCUSFJORD and HYPERBRO. The hackers then stole users’ credentials and conducted internal network reconnaissance.
The group took steps to deliberately mislead researchers and attempted to hide their nationality. They tried using methods such as planting Farsi in the parts of code that could be recovered by incident response teams and using malware tools linked to Iranian groups that had previously been leaked online, FireEye said.
“The use of Farsi strings, file paths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran,” the report reads.
Jens Monrad, who leads the work of FireEye’s threat intelligence division Mandiant in EMEA, told Sky News that the group’s attempt to mask their nationality was “a little bit unusual.”
“We have seen, historically, a few false flag attempts. We saw one during the Olympics in South Korea,” he explained. “There might be several reasons why a threat actor wants to do a false flag—obviously, it makes the analysis a bit more complex.”
The report noted that the targeted attacks came against the backdrop of China’s multibillion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector.
BRI is the Chinese regime’s multitrillion-dollar infrastructure program launched in 2013 to expand its trade and political influence throughout Asia, Africa, and Europe. Critics have argued that BRI has put developing countries into “debt traps.”
“China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions, [including] political, economic, and security,” FireEye stated.
The company stated that it expects Beijing will “continue targeting governments and organizations involved in these critical infrastructure projects.”
Sanaz Yashar, who headed FireEye’s research into Israeli targets, told Haaretz that many Israeli companies are involved in the fields that are at the core of Chinese interests, as reflected in their five-year plans.
“Their goal isn’t necessarily always to steal intellectual property. It’s possible that they’re actually looking for business information,” Yashar said. “In the Chinese view, it’s legitimate to attack a company while negotiating with it, so they will know how to price the deal properly.”
The report comes just weeks after President Joe Biden signed a memorandum that seeks to bolster the United States’ critical infrastructure against cyberattacks. Biden warned on July 27 that if the United States ended up in a “real shooting war” with a “major power,” it could come in response to a significant cyber attack.
Cybersecurity has become a key priority for the Biden administration following a string of high-profile attacks in recent months, including network management company SolarWinds, the Colonial Pipeline company, meat processing firm JBS, and software company Kaseya.