Israeli Organisations Targeted By UNC215 Disguised As An Iranian Group

Israeli Organisations Targeted By UNC215 Disguised As An Iranian Group

UNC215 is a Chinese cyber-espionage organization and is responsible for several intrusion activities targeting Israeli organizations, researchers claim. The attacks are targeting entities in IT sectors, telecommunication firms, and government institutions since 2019.

Activities Of UNC215

FireEye’s Mandiant Threat Intelligence has connected the UNC215 group with low confidence to APT27 (also known as Iron Tiger) which has been operative since 2014.

  • The group has targeted multiple entities in various sectors such as entertainment, technology, government, finance, telecommunications, healthcare, and defense.
  • The organizations of interest to Beijing’s diplomatic, financial, and strategic objectives are suitable targets for the group. Israel’s technology sector is of great interest to the group.
  • UNC215 breached government and academic networks to deploy FOCUSFJORD payloads and web shells.
  • The early attacks used entities in the Middle East and Central Asia as targets.

Attack Pattern

To gain access, the attackers have exploited a SharePoint vulnerability (CVE-2019-0604). Afterward, the group has consistently followed a fixed pattern for harvesting credentials and internal reconnaissance (using web shells) to detect systems of importance within the target network. 

  • With each phase of the attacks, active efforts are made to make detection difficult by removing any forensic artifacts from the target devices. FOCUSFJORD backdoor was also improved.
  • They also installed a custom implant known as HyperBro. This implant contains multiple features such as screen capture and a keylogger.
  • The operators hide their C2 infrastructure by using networks of the victims with the proxy of C2 instructions. False flags were planted for misleading the attributions of threat actors.
  • In April 2019, UNC215 used a web shell named SEASHARPEE that is linked with the Iranian APT groups. For eight years, forensic analysts were misled by the group as they were disguised as Iranian threat actors.

Final Deductions

Researchers suggest that the Chinese cyber-espionage activities in Central Asia and the Middle East can be considered as steps to safeguard huge Chinese investments in the Belt and Road Initiative (BRI) in those regions. On the progression of the project, UNC215, and other such groups are anticipated to continue attacks, with their targets being critical assets in Israel and the Middle East.

By IEMA IEMLabs

IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!