UNC215 is a Chinese cyber-espionage organization and is responsible for several intrusion activities targeting Israeli organizations, researchers claim. The attacks are targeting entities in IT sectors, telecommunication firms, and government institutions since 2019.
Activities Of UNC215
FireEye’s Mandiant Threat Intelligence has connected the UNC215 group with low confidence to APT27 (also known as Iron Tiger) which has been operative since 2014.
- The group has targeted multiple entities in various sectors such as entertainment, technology, government, finance, telecommunications, healthcare, and defense.
- The organizations of interest to Beijing’s diplomatic, financial, and strategic objectives are suitable targets for the group. Israel’s technology sector is of great interest to the group.
- UNC215 breached government and academic networks to deploy FOCUSFJORD payloads and web shells.
- The early attacks used entities in the Middle East and Central Asia as targets.
Attack Pattern
To gain access, the attackers have exploited a SharePoint vulnerability (CVE-2019-0604). Afterward, the group has consistently followed a fixed pattern for harvesting credentials and internal reconnaissance (using web shells) to detect systems of importance within the target network.
- With each phase of the attacks, active efforts are made to make detection difficult by removing any forensic artifacts from the target devices. FOCUSFJORD backdoor was also improved.
- They also installed a custom implant known as HyperBro. This implant contains multiple features such as screen capture and a keylogger.
- The operators hide their C2 infrastructure by using networks of the victims with the proxy of C2 instructions. False flags were planted for misleading the attributions of threat actors.
- In April 2019, UNC215 used a web shell named SEASHARPEE that is linked with the Iranian APT groups. For eight years, forensic analysts were misled by the group as they were disguised as Iranian threat actors.
Final Deductions
Researchers suggest that the Chinese cyber-espionage activities in Central Asia and the Middle East can be considered as steps to safeguard huge Chinese investments in the Belt and Road Initiative (BRI) in those regions. On the progression of the project, UNC215, and other such groups are anticipated to continue attacks, with their targets being critical assets in Israel and the Middle East.
