A Chinese cyber espionage group has been linked to a string of intrusion activities targeting Israeli government institutions, IT providers, and telecommunications companies.Tracked as “UNC215“, a Chinese espionage operation linking the group with “low confidence” to an APT widely known as APT27, Emissary Panda, or Iron Tiger.

The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic, and strategic objectives. The findings reflecting a relentless appetite for defense related secrets among hacking groups.

Chinese Hackers

Early attacks perpetrated by the collective is said to have exploited a Microsoft SharePoint vulnerability CVE-2019-0604 as a stepping stone toward infiltrating government and academic networks to deploy web shells and  FOCUSFJORD  payloads at targets in the Middle East and Central Asia.

After gaining an initial foothold, an established pattern of conducting credential harvesting and internal reconnaissance to identify key systems within the target network, before carrying out lateral movement activities to install a custom implant called HyperBro that comes with capabilities such as screen capture and keylogging.

Each phase of the attack is marked by notable efforts undertaken to hinder detection by removing any traces of residual forensic artifacts from compromised machines, while simultaneously improving the FOCUSFJORD backdoor in response to security vendor reports, concealing C2 infrastructure by using other victim networks to proxy their C2 instructions, and even incorporating false flags such as deploying a web shell called SEASHARPEE that’s associated with Iranian APT groups in an attempt to mislead attribution.

The activity demonstrates China’s consistent strategic interest in the Middle East. This cyber espionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative and its interest in Israeli’s robust technology sector.

China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions political, economic, and security and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term.