Chinese cyber spies attack Israel posing as Iranian hackers

A Chinese cybercriminal group attacked Israeli organizations in a malicious campaign launched back in January 2019. Hackers often used fake flags in an attempt to disguise themselves as Iranian criminals.

According to experts from information security firm Mandiant, the attacks targeted Israeli government agencies, IT companies, and telecommunications service providers. The attackers, who are being tracked under the codename UNC215, have routinely compromised organizations through Microsoft SharePoint servers that contain the CVE-2019-0604 vulnerability.

As soon as UNC215 gained access to one of the servers, the hackers installed the WHEATSCAN tool to scan the victim's internal network, and then the FOCUSFJORD web shell and the HYPERBRO backdoor on key servers to ensure persistence on the victim's networks.

In order to hide their tracks, the criminals removed unnecessary malicious artifacts and used legitimate software to perform malicious operations. In addition, the group also used false flags in the source code of their malware in an attempt to hide their true identities. UNC215 often used file paths that mentioned Iran (for example, C: \ Users \ Iran) or error messages written in Arabic. UNC215 also used at least three times an Iranian hacking tool discovered in the Telegram messenger in 2019 - the SEASHARPEE web shell.

Despite this information, the UNC215 group has been conducting cyber espionage operations of interest to the Chinese state since at least 2014. The attacks on Israeli targets are part of a larger spy campaign in which UNC215 has targeted companies in the Middle East, Europe, Asia and North America.

Previous Post Next Post