A group of Chinese hackers carried out coordinated cyberattacks on Israel that affected dozens of Israeli government and private organizations, according to a report from U.S. security company FireEye released Tuesday.
FireEye, which worked alongside Israeli defence agencies in probing the cyberattacks, noted that it did not have sufficient evidence to link the Chinese espionage group, called UNC215, to the Chinese communist regime. It added, however, that the group targets data and organizations which are of “great interest to Beijing's financial, diplomatic, and strategic objectives.”
UNC215 is a Chinese espionage operation that has been suspected of targeting organizations around the world since at least 2014, the report states.
In early 2019, the group exploited a Microsoft SharePoint vulnerability, and used custom malware tools, called FOCUSFJORD and HYPERBRO. The hackers then stole users’ credentials and conducted internal network reconnaissance.
The group took steps to deliberately mislead researchers, and attempted to hide their nationality. They tried to do this by using methods such as planting Farsi in the parts of code which could be recovered by incident response teams, and using malware tools linked to Iranian groups that had previously been leaked online, FireEye said.
"The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran," the company’s report said.
"We have seen historically a few false flag attempts. We saw one during the Olympics in South Korea,” he explained. "There might be several reasons why a threat actor wants to do a false flag—obviously it makes the analysis a bit more complex.”
The report noted that the targeted attacks came against the backdrop of China's multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel's robust technology sector.
"China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions [including] political, economic, and security," FireEye said.
The company said that it expects Beijing will "continue targeting governments and organizations involved in these critical infrastructure projects.”
"Their goal isn't necessarily always to steal intellectual property; it's possible that they're actually looking for business information,” said Yashar. "In the Chinese view, it's legitimate to attack a company while negotiating with it, so they will know how to price the deal properly.”
The report comes just weeks after President Joe Biden signed a memorandum that seeks to bolster the United States’ critical infrastructure against cyberattacks.
Cybersecurity has become a key priority for the Biden administration following a string of high-profile attacks in recent months, including network management company SolarWinds, the Colonial Pipeline company, meat processing firm JBS, and software company Kaseya.