Wednesday, July 24, 2024
HomeCyber Security BlogsIsraeli Organisations Targeted By UNC215 Disguised As An Iranian Group

Israeli Organisations Targeted By UNC215 Disguised As An Iranian Group

UNC215 is a Chinese cyber-espionage organization and is responsible for several intrusion activities targeting Israeli organizations, researchers claim. The attacks are targeting entities in IT sectors, telecommunication firms, and government institutions since 2019.

Activities Of UNC215

FireEye’s Mandiant Threat Intelligence has connected the UNC215 group with low confidence to APT27 (also known as Iron Tiger) which has been operative since 2014.

  • The group has targeted multiple entities in various sectors such as entertainment, technology, government, finance, telecommunications, healthcare, and defense.
  • The organizations of interest to Beijing’s diplomatic, financial, and strategic objectives are suitable targets for the group. Israel’s technology sector is of great interest to the group.
  • UNC215 breached government and academic networks to deploy FOCUSFJORD payloads and web shells.
  • The early attacks used entities in the Middle East and Central Asia as targets.

Attack Pattern

To gain access, the attackers have exploited a SharePoint vulnerability (CVE-2019-0604). Afterward, the group has consistently followed a fixed pattern for harvesting credentials and internal reconnaissance (using web shells) to detect systems of importance within the target network. 

  • With each phase of the attacks, active efforts are made to make detection difficult by removing any forensic artifacts from the target devices. FOCUSFJORD backdoor was also improved.
  • They also installed a custom implant known as HyperBro. This implant contains multiple features such as screen capture and a keylogger.
  • The operators hide their C2 infrastructure by using networks of the victims with the proxy of C2 instructions. False flags were planted for misleading the attributions of threat actors.
  • In April 2019, UNC215 used a web shell named SEASHARPEE that is linked with the Iranian APT groups. For eight years, forensic analysts were misled by the group as they were disguised as Iranian threat actors.

Final Deductions

Researchers suggest that the Chinese cyber-espionage activities in Central Asia and the Middle East can be considered as steps to safeguard huge Chinese investments in the Belt and Road Initiative (BRI) in those regions. On the progression of the project, UNC215, and other such groups are anticipated to continue attacks, with their targets being critical assets in Israel and the Middle East.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us