[TheRecord] Chinese cyber spies targeted Israel posing as Iranian hackers

A Chinese cyber-espionage group has targeted Israeli organizations in a campaign that began in January 2019, and during which the group often used false flags in attempts to disguise as an Iranian threat actor.

Detailed in a report published today by security firm Mandiant, the attacks targeted Israeli government institutions, IT companies, and telecommunication providers.

The attackers, which Mandiant said it was tracking under a codename of UNC215, typically breached organizations by targeting Microsoft SharePoint servers unpatched for the CVE-2019-0604 vulnerability.

Once UNC215 gained access to one of these servers, they deployed the WHEATSCAN tool to scan the victim’s internal network and then installed the FOCUSFJORD web shell and HYPERBRO backdoor on key servers as a way to ensure persistence on the hacked organizations’ networks.

Image: Mandiant

Mandiant said the group took great care and several steps to hide their intrusions and minimize forensic evidence on a victim’s network, such as removing malware artifacts once they were not needed and using legitimate software to perform malicious operations.

UNC2015 planted Iranian false flags

Furthermore, the group also used false flags inside their malware source code in an attempt to hide their real identities.

Mandiant said UNC215 often used file paths mentioning Iran (i.e., C:UsersIran) or error messages written in Farsi (i.e., ‘ضائع’ – which translates to: lost or missing)

In addition, on at least three occasions, UNC215 also used an Iranian hacking tool that was leaked on Telegram in 2019 (i.e., the SEASHARPEE web shell).

However, Mandiant researchers said that despite these indicators, the UNC215 group has been conducting cyber-espionage operations of interest to the Chinese state since at least 2014.

Moreover, the attacks against Israeli targets are part of a larger espionage campaign during which UNC215 targeted a broader set of victims across the Middle East, Europe, Asia, and North America, with targets typically in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors.

But while the Mandiant research team attributed these hacks to the UNC2015 group, the company said it’s currently investigating the possibility that UNC2015 might be associated with a larger Chinese cyber-espionage group known as APT27 or Emissary Panda, a group which security firm Cybereason also recently spotted attacking telcos across Southeast Asia.

The post Chinese cyber spies targeted Israel posing as Iranian hackers appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[BleepingComputer] Microsoft Defender ATP now secures networked Linux, macOS devices

Microsoft has added support for identifying and assessing the security configurations of Linux and macOS endpoints on enterprise networks using Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection). […] Source: Read More (BleepingComputer)

Read More

[SecurityWeek] Voltage Glitching Attack on AMD Chips Poses Risk to Cloud Environments

All posts, Security Week

Researchers have described a voltage glitching attack that shows AMD’s Secure Encrypted Virtualization (SEV) technology may not provide proper protection for confidential data in cloud environments. The research was conducted by a team from the Technical University of Berlin (TU Berlin) and it was detailed in a paper published this week. read more Source: Read […]

Read More

Daily NCSC-FI news followup 2021-02-10

Following Oldsmar attack, FBI warns about using TeamViewer and Windows 7 www.zdnet.com/article/following-oldsmar-attack-fbi-warns-about-using-teamviewer-and-windows-7/ An FBI alert sent on Tuesday warns companies about the use of out-of-date Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. French MNH health insurance company hit by RansomExx ransomware www.bleepingcomputer.com/news/security/french-mnh-health-insurance-company-hit-by-ransomexx-ransomware/ French health insurance company Mutuelle Nationale des Hospitaliers (MNH) […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.