Cybersecurity firm Mandiant, also known as FireEye, has revealed that Chinese espionage has been conducting an extensive campaign against Israeli targets. The attacks were made against Israeli government institutions, IT providers, and telecommunications organizations.
Mandiant attributes this campaign to Chinese operators known as UNC215, a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014. Mandiant asserts that UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors. The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic, and strategic objectives.
UNC215’s targets are located throughout the Middle East, Europe, Asia, and North America, says Mandiant.
In early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage group UNC215. These intrusions exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia.
The hackers would take control of an internal system like Windows to steal all sorts of sensitive information, such as credentials and passwords. They also ran native Windows commands on compromised servers, executing all manner of operations on the victims’ systems. They also tried to scrub any evidence of their activities from the affected systems.
Mandiant explained that they worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement.
Mandiant believes this adversary is still active in the region.
In July The White House revealed that the European Union, the United Kingdom, and NATO had joined are joining the United States in exposing and criticizing the People’s Republic of China’s malicious cyber activities.
“Our allies and partners are a tremendous source of strength and a unique American advantage, and our collective approach to cyber threat information sharing, defense, and mitigation helps hold countries like China to account,” said the White House in a statement. It added that the announcement built, “on the progress made from the President’s first foreign trip. From the G7 and EU commitments around ransomware to NATO adopting a new cyber defense policy for the first time in seven years, the President is putting forward a common cyber approach with our allies and laying down clear expectations and markers on how responsible nations behave in cyberspace.”