A significant cybersecurity threat has emerged from a Chinese cyber espionage group known as UNC215, which has been stealthily targeting Israeli government entities and IT infrastructure since at least 2019. The group is notable for disguising its operations as Iranian hackers to evade detection, complicating forensic investigations aimed at tracing the source of these intrusions.
The Mandiant threat intelligence team at FireEye has identified UNC215 as a sophisticated Chinese espionage operation with a history extending to 2014. The group is tentatively linked, with low confidence, to an advanced persistent threat (APT) actor recognized as APT27, also known as Emissary Panda or Iron Tiger. Their campaigns exploit various sectors, demonstrating a particular interest in government, technology, telecommunications, and defense.
As outlined in a recent report by FireEye, UNC215 has been relentless in its pursuit of sensitive data, with motivations intricately aligned with Beijing’s strategic interests, especially regarding financial and diplomatic goals. Their targets often involve organizations crucial to China’s long-term objectives, indicating a broader ambition to gather intelligence on defense innovations and other classified materials.
In previous engagements, the group has leveraged vulnerabilities in Microsoft SharePoint, specifically CVE-2019-0604, to penetrate networks and establish footholds for deploying malicious payloads such as FOCUSFJORD. Initially described by the NCC Group in 2018, FOCUSFJORD serves as an advanced backdoor facilitating further intrusions into sensitive infrastructures across the Middle East and Central Asia.
Upon establishing initial access, UNC215 employs a methodical approach, utilizing credential harvesting and internal reconnaissance to pinpoint critical systems. The attackers typically initiate lateral movement to implant a bespoke tool called HyperBro, which is capable of screen capture and keylogging. This indicates a multifaceted exploitation strategy, encompassing tactics such as credential access (T1003) and lateral movement (T1075) as outlined in the MITRE ATT&CK framework.
Each stage of the attack is methodically designed to obfuscate the attacker’s tracks by removing forensic artifacts and enhancing the FOCUSFJORD backdoor in response to threat intelligence reports. The group has even utilized proxy networks to conceal command-and-control communications and has employed misleading indicators to obscure the true origin of the actions. This reflects a sophisticated understanding of operational security, indicative of their capability to manipulate detection mechanisms effectively.
Notably, in an operation against an Israeli governmental network in 2019, UNC215 exploited remote desktop protocol (RDP) access from a trusted third-party contractor using pilfered credentials. This method showcases a concerning trend in cyber espionage tactics, highlighting the potential for trusted networks to be compromised and leveraged against their own interests.
Evidence from this ongoing campaign aligns with China’s strategic positioning in the Middle East, especially in relation to the Belt and Road Initiative (BRI), which involves substantial investments in infrastructure and technology sectors. The cyber activities of UNC215 suggest a sustained interest in monitoring developments within these regions, anticipating potential obstacles that could affect China’s objectives.
Experts indicate that UNC215 will likely continue its focus on key governmental and organizational targets within Israel and the wider Middle East. The evolving threat landscape necessitates vigilance and proactive measures from business leaders to safeguard against similar incursions, underscoring the need for robust cybersecurity defenses in an increasingly interconnected world.
