Analysis by cybersecurity firm Mandiant has shown multiple, concurrent operations against Israeli government institutions, IT providers, and telecommunications entities by the Chinese espionage group UNC215, beginning in January 2019. In addition to data from Mandiant Incident Response and FireEye telemetry, Mandiant worked with Israeli defense agencies to review data from additional compromises of Israeli entities. In early 2019, Mandiant began identifying and responding to intrusions in the Middle East by UNC215. These intrusions exploited a Microsoft SharePoint vulnerability to install webshells and FOCUSFJORD payloads at targets in the Middle East and Central Asia.
During this time, UNC215 used new tactics, techniques, and procedures to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. Mandiant said it believes this adversary is still active in the region.
A detailed look into how UNC215 operates revealed that the operators conduct credential harvesting and extensive internal network reconnaissance post-intrusion. After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD. UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging. While UNC215 heavily relies on the custom tools FOCUSFJORD and HYPERBRO, Chinese espionage groups often have resource-sharing relationships with other groups.
UNC215 made several attempts to foil network defenders, such as cleaning up evidence of their intrusion after gaining access to a system, exploiting trusted third parties, making technical modifications to their tools to limit outbound network traffic, and planting false flags, such as using Farsi strings to mislead analysts and suggest an attribution to Iran.
While UNC215 prioritizes evading detection within a compromised network, Mandiant identified several examples of code, C&C infrastructure, and certificate reuse, indicating that UNC215 operators are less concerned about defenders’ ability to track and detect UNC215 activity.
Mandiant attributes this campaign to Chinese espionage operators, which they track as UNC215 - a Chinese espionage operation suspected of targeting organizations worldwide since 2014. According to Mandiant, UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and healthcare sectors. The group targets data and organizations of great interest to Beijing's financial, diplomatic, and strategic objectives.
"The activity demonstrates China’s consistent strategic interest in the Middle East. This cyber-espionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector," read Mandiant's report.