Chinese cyber spies targeted Israel posing as Iranian hackers
SHOULD HAVE GONE ONE MORE STEP AND HID BEHIND NORTH KOREAN HACKERS
IMAGE: ROBERT BYE, THE RECORD
Catalin Cimpanu
August 10, 2021
A Chinese cyber-espionage group has targeted Israeli organizations in a campaign that began in January 2019, and during which the group often used false flags in attempts to disguise as an Iranian threat actor.
Detailed in a report published today by security firm Mandiant, the attacks targeted Israeli government institutions, IT companies, and telecommunication providers.
The attackers, which Mandiant said it was tracking under a codename of UNC215, typically breached organizations by targeting Microsoft SharePoint servers unpatched for the CVE-2019-0604 vulnerability.
Once UNC215 gained access to one of these servers, they deployed the WHEATSCAN tool to scan the victim’s internal network and then installed the FOCUSFJORD web shell and HYPERBRO backdoor on key servers as a way to ensure persistence on the hacked organizations’ networks.
IMAGE: ROBERT BYE, THE RECORD
Catalin Cimpanu
August 10, 2021
A Chinese cyber-espionage group has targeted Israeli organizations in a campaign that began in January 2019, and during which the group often used false flags in attempts to disguise as an Iranian threat actor.
Detailed in a report published today by security firm Mandiant, the attacks targeted Israeli government institutions, IT companies, and telecommunication providers.
The attackers, which Mandiant said it was tracking under a codename of UNC215, typically breached organizations by targeting Microsoft SharePoint servers unpatched for the CVE-2019-0604 vulnerability.
Once UNC215 gained access to one of these servers, they deployed the WHEATSCAN tool to scan the victim’s internal network and then installed the FOCUSFJORD web shell and HYPERBRO backdoor on key servers as a way to ensure persistence on the hacked organizations’ networks.
IMAGE: MANDIANT
Mandiant said the group took great care and several steps to hide their intrusions and minimize forensic evidence on a victim’s network, such as removing malware artifacts once they were not needed and using legitimate software to perform malicious operations.
Mandiant said the group took great care and several steps to hide their intrusions and minimize forensic evidence on a victim’s network, such as removing malware artifacts once they were not needed and using legitimate software to perform malicious operations.
UNC2015 planted Iranian false flags
Furthermore, the group also used false flags inside their malware source code in an attempt to hide their real identities.
Mandiant said UNC215 often used file paths mentioning Iran (i.e., C:\Users\Iran) or error messages written in Farsi (i.e., ‘ضائع’ – which translates to: lost or missing)
In addition, on at least three occasions, UNC215 also used an Iranian hacking tool that was leaked on Telegram in 2019 (i.e., the SEASHARPEE web shell).
However, Mandiant researchers said that despite these indicators, the UNC215 group has been conducting cyber-espionage operations of interest to the Chinese state since at least 2014.
Moreover, the attacks against Israeli targets are part of a larger espionage campaign during which UNC215 targeted a broader set of victims across the Middle East, Europe, Asia, and North America, with targets typically in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors.
But while the Mandiant research team attributed these hacks to the UNC2015 group, the company said it’s currently investigating the possibility that UNC2015 might be associated with a larger Chinese cyber-espionage group known as APT27 or Emissary Panda, a group which security firm Cybereason also recently spotted attacking telcos across Southeast Asia.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.
China hacks Israel, Iran, for info on tech, business advances
Tolerance for Chinese cyber attacks has decreased globally following its handling of the coronavirus crisis, Hong Kong, and accusations of war crimes (GENOCIDE AGAINST THE UHIGARS)
By YONAH JEREMY BOB
AUGUST 10, 2021
China has hacked dozens of Israeli public and private sector groups as well groups in Iran, Saudi Arabia and a variety of other countries, the international cybersecurity company FireEye announced Tuesday.
The massive cyber attack appears to be part of a long-term spying strategy in the area of technology and business competition and advancement, rather than a desire to harm any of the target countries or businesses.
According to FireEye, Beijing does not discriminate along any of the fault lines in the region, using its cyber tools to spy on a wide array of Middle Eastern countries, which are often at odds with each other, while all doing business with China.
The goal seems to have been to gain intelligence into achieving better negotiation outcomes in terms of pricing by viewing internal email discussions and assessments, and to appropriate certain key technological developments where possible.
In addition, the attack is tied to cyber exploitation of holes in Microsoft’s SharePoint, announced by the Israel National Cyber Directorate (INCD) in 2019. Its maximum impact is not currently being felt.
The INCD tends not to name specific countries involved and would not name China on Tuesday.
The revelation was a joint effort by FireEye and Mandiant.
Mandiant, a part of FireEye, says it “brings together the world’s leading intelligence threat and frontline expertise with continuous security validation to arm organizations with the tools needed to increase security effectiveness.”
Estimates are that some public and private sector Israeli entities started to repel the attack once the SharePoint vulnerability was announced in 2019, but that in other cases, Chinese spying in Israel continued deep into 2020.
The timing of the current announcement seemed to dovetail with the announcement by governments in Europe, Asia, the US and NATO in July of a similar massive cyber attack carried out by China.
The report said that Mandiant and FireEye “worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities.”
During this time, Chinese espionage group UNC215 “used new TTPs [Tactics, Techniques and Procedures] to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement.”
Mandiant said it “believes this adversary is still active in the region,” even if the specific kind of attack may not be its current major cyber spying move.
According to the report, UNC215 operators “conduct credential harvesting and extensive internal network reconnaissance post-intrusion. After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD.”
“UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging” said the report.
Next, the report said that UNC215 made several attempts to foil network defenders, such as “Cleaning up evidence of their intrusion after gaining access to a system - This type of action can make it more difficult for incident responders to reconstruct what happened.”
Further, UNC215 exploited “trusted third parties in a 2019 operation targeting an Israeli government network - The operators were able to access their primary target via RDP [Remote Desktop Protocol] connections from a trusted third party using stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary target.”
Most creatively, the report said UN215 planted “false flags, such as using Farsi strings to mislead analysts and suggest an attribution to Iran.”
China generally denies attribution on the record, but off-the-record complains that the US and other countries have a double standard, saying that even if US businesses do not engage in espionage, the NSA does.
However, tolerance for Chinese cyber attacks has declined globally as the country’s popularity has plummeted following its handling of the coronavirus crisis, Hong Kong, issues in the South China Sea and accusations of war crimes in its treatment of the Muslim Uyghurs in China.
Israel has maintained high level business connections with Beijing. Chinese companies have invested billions of dollars in Israeli technology start-ups, partnering or acquiring companies in strategic industries like semiconductors and artificial intelligence.
China is also building the railway between Eilat and Ashdod, a private port at Ashdod, and is on the verge of opening a massive new port in Haifa.
But Jerusalem has started to re-balance some of its dealings with China, opting out of cooperation in the application of 5G and other arenas, while avoiding public confrontations.
Former INCD chief Buky Carmeli confirmed to The Jerusalem Post in August 2018 that China and other cyber powerhouses were involved in spying throughout the Israeli public and private sectors, but that they had not reached the state’s “crown jewels” in digital terms.
The Chinese Embassy responded to the report, saying: “The FireEye report’s baseless accusations against China on cybersecurity issues are defamation for political purposes. China is a staunch upholder of cybersecurity. It has always firmly opposed and combated cyber attacks launched within its borders or with its network infrastructure.
“In fact, China is a major victim of cyberattacks. According to statistics from China’s National Computer Network Emergency Response Technical Team, about 52,000 malicious program command and control servers located outside China took control of about 5.31 million computer hosts in China in 2020, which seriously undermined,” China, said the Embassy
It concluded: “We hope Israeli friends and media outlets can make a clear distinction between right and wrong and refrain from providing platforms for rumors.”
The Prime Minister’s Office declined to respond.
The INCD said, “The State of Israel experiences many daily attempts at cyber attacks on a range of targets. Without addressing the identity of the attacker regarding who the report tries to identify, the events described in the report occurred in the past, were handled at the time and probed.”
“The authority even issued a warning at the time regarding the vulnerability described in the report regarding SharePoint and took steps to reduce” the impact on the Israeli economy.
Tolerance for Chinese cyber attacks has decreased globally following its handling of the coronavirus crisis, Hong Kong, and accusations of war crimes (GENOCIDE AGAINST THE UHIGARS)
By YONAH JEREMY BOB
AUGUST 10, 2021
China has hacked dozens of Israeli public and private sector groups as well groups in Iran, Saudi Arabia and a variety of other countries, the international cybersecurity company FireEye announced Tuesday.
The massive cyber attack appears to be part of a long-term spying strategy in the area of technology and business competition and advancement, rather than a desire to harm any of the target countries or businesses.
According to FireEye, Beijing does not discriminate along any of the fault lines in the region, using its cyber tools to spy on a wide array of Middle Eastern countries, which are often at odds with each other, while all doing business with China.
The goal seems to have been to gain intelligence into achieving better negotiation outcomes in terms of pricing by viewing internal email discussions and assessments, and to appropriate certain key technological developments where possible.
In addition, the attack is tied to cyber exploitation of holes in Microsoft’s SharePoint, announced by the Israel National Cyber Directorate (INCD) in 2019. Its maximum impact is not currently being felt.
The INCD tends not to name specific countries involved and would not name China on Tuesday.
The revelation was a joint effort by FireEye and Mandiant.
Mandiant, a part of FireEye, says it “brings together the world’s leading intelligence threat and frontline expertise with continuous security validation to arm organizations with the tools needed to increase security effectiveness.”
Estimates are that some public and private sector Israeli entities started to repel the attack once the SharePoint vulnerability was announced in 2019, but that in other cases, Chinese spying in Israel continued deep into 2020.
The timing of the current announcement seemed to dovetail with the announcement by governments in Europe, Asia, the US and NATO in July of a similar massive cyber attack carried out by China.
The report said that Mandiant and FireEye “worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities.”
During this time, Chinese espionage group UNC215 “used new TTPs [Tactics, Techniques and Procedures] to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement.”
Mandiant said it “believes this adversary is still active in the region,” even if the specific kind of attack may not be its current major cyber spying move.
According to the report, UNC215 operators “conduct credential harvesting and extensive internal network reconnaissance post-intrusion. After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD.”
“UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging” said the report.
Next, the report said that UNC215 made several attempts to foil network defenders, such as “Cleaning up evidence of their intrusion after gaining access to a system - This type of action can make it more difficult for incident responders to reconstruct what happened.”
Further, UNC215 exploited “trusted third parties in a 2019 operation targeting an Israeli government network - The operators were able to access their primary target via RDP [Remote Desktop Protocol] connections from a trusted third party using stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary target.”
Most creatively, the report said UN215 planted “false flags, such as using Farsi strings to mislead analysts and suggest an attribution to Iran.”
China generally denies attribution on the record, but off-the-record complains that the US and other countries have a double standard, saying that even if US businesses do not engage in espionage, the NSA does.
However, tolerance for Chinese cyber attacks has declined globally as the country’s popularity has plummeted following its handling of the coronavirus crisis, Hong Kong, issues in the South China Sea and accusations of war crimes in its treatment of the Muslim Uyghurs in China.
Israel has maintained high level business connections with Beijing. Chinese companies have invested billions of dollars in Israeli technology start-ups, partnering or acquiring companies in strategic industries like semiconductors and artificial intelligence.
China is also building the railway between Eilat and Ashdod, a private port at Ashdod, and is on the verge of opening a massive new port in Haifa.
But Jerusalem has started to re-balance some of its dealings with China, opting out of cooperation in the application of 5G and other arenas, while avoiding public confrontations.
Former INCD chief Buky Carmeli confirmed to The Jerusalem Post in August 2018 that China and other cyber powerhouses were involved in spying throughout the Israeli public and private sectors, but that they had not reached the state’s “crown jewels” in digital terms.
The Chinese Embassy responded to the report, saying: “The FireEye report’s baseless accusations against China on cybersecurity issues are defamation for political purposes. China is a staunch upholder of cybersecurity. It has always firmly opposed and combated cyber attacks launched within its borders or with its network infrastructure.
“In fact, China is a major victim of cyberattacks. According to statistics from China’s National Computer Network Emergency Response Technical Team, about 52,000 malicious program command and control servers located outside China took control of about 5.31 million computer hosts in China in 2020, which seriously undermined,” China, said the Embassy
It concluded: “We hope Israeli friends and media outlets can make a clear distinction between right and wrong and refrain from providing platforms for rumors.”
The Prime Minister’s Office declined to respond.
The INCD said, “The State of Israel experiences many daily attempts at cyber attacks on a range of targets. Without addressing the identity of the attacker regarding who the report tries to identify, the events described in the report occurred in the past, were handled at the time and probed.”
“The authority even issued a warning at the time regarding the vulnerability described in the report regarding SharePoint and took steps to reduce” the impact on the Israeli economy.
No comments:
Post a Comment