Chinese espionage group UNC215 leveraged remote desktop protocols (RDP) to access an Israeli government network using stolen credentials from trusted third parties, according to research published today.
Mandiant, part of cybersecurity firm FireEye, analyzed data gathered from their telemetry and the information shared by Israeli entities in collaboration with the authorities. The data revealed multiple concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019.
FireEye has published the findings in a blog detailing the post-compromise tradecraft and operational tactics, techniques and procedures (TTPs) of UNC215. The group has targeted private companies, governments and various organizations in the Middle East, Europe, Asia and North America.
Mandiant’s research comes after a joint announcement by governments in North America, Europe, Asia and organizations such as NATO and the EU on July 19 2021. The announcement condemned widespread cyber espionage conducted on behalf of the Chinese government.
“These coordinated statements attributing sustained cyber espionage activities to the Chinese Government corroborate our long-standing reporting on Chinese threat actor targeting of private companies, governments, and various organizations around the world, and this blog post shows yet another region where Chinese cyber espionage is active,” says the blog post.
The group remotely executed FOCUSFJORD on their primary target. Since 2019, UNC215 has been exploiting the Microsoft SharePoint vulnerability CVE-2019-0604 to install web shells and FOCUSFJORD payloads. Manidant says that even though it and FireEye telemetry has been working with Israeli defense agencies, UNC215 has been using TTPs to hinder “attribution and detection, maintain operational security, employ false flags and leverage trusted relationships for lateral movement.
“UNC215 made technical modifications to their tools to limit outbound network traffic and used other victim networks to proxy their C2 instructions, likely to minimize the risk of detection and blend in with normal network traffic,” the blog post explains.
The team also found a sample of a new malware (MD5:625dd9048e3289f19670896cf5bca7d8), which shares code with FOCUSFJORD. The malware is distinct and only contains functions to relay communications between another FOCUSFJORD instance and a C2 server, which the Mandiant team believes was used in the operation to reduce the likelihood of being detected.
“UNC215 has compromised organizations in the government, technology, telecommunications, defense, finance, entertainment, and health care sectors,” explains the Mandiant Israel Research Team, U.S. Threat Intel Team, who authored the blog post. “The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic, and strategic objectives.” The blog post goes on to say that the activity demonstrates “China’s consistent strategic interest in the Middle East” against the backdrop of “China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israeli’s robust technology sector.”