United States cybersecurity firm FireEye said a Chinese group has waged a widespread espionage campaign against Israeli entities.
The attacks targeted Israeli government institutions, IT providers and telecommunications firms in multiple, concurrent operations starting in January of 2019, according to an analysis released on Tuesday by the California-based FireEye.
The hackers carried out data harvesting and reconnaissance, likely motivated by financial, technological and business interests. FireEye did not report Chinese government involvement, but said the targets coincided with Beijing’s interests.
During the same campaign against Israel, the group attacked targets in Iran, the United Arab Emirates and Kazakhstan, and may have sought to ascribe the attacks to Iran.
FireEye first detected the Chinese espionage group, called UNC215, making the intrusions by exploiting a Microsoft SharePoint vulnerability in early 2019. The group used its custom malware tools, called FOCUSFJORD and HYPERBRO, during the attacks.
After breaking into a system, the group stole large numbers of users’ credentials and carried out internal network reconnaissance. The group’s HYPERBRO malware was used for information collection, such as screen captures and keylogging.
UNC215 used new tactics, techniques and procedures in the campaign, including by taking measures to cover its tracks, exploiting trusted third parties and planting false flags to mislead analysts.
In one 2019 operation, the hackers exploited trusted third parties using stolen credentials to attack an Israeli government network.
FireEye said it had worked with Israeli defense agencies to review data on the attacks, and believes the hacking group is still active in the region.
UNC215 deployed a tool associated with Iranian actors, used Farsi and other took measures in what may have been a false flag attempt to put blame on Iranian attackers.
The attacks against Israeli entities highlight Beijing’s “consistent strategic interest in the Middle East,” FireEye said. “The group targets data and organizations which are of great interest to Beijing’s financial, diplomatic and strategic objectives.”
The espionage takes place amid China’s global Belt and Road infrastructure initiative and the government’s interest in Israel’s technology sector.
FireEye said China has carried out hacking campaigns along the Belt and Road Initiative’s route to surveil potential roadblocks, including political, economic and security issues. The cybersecurity firm said it expects UNC215 to further target governments and organizations linked to the infrastructure initiative in Israel and the Middle East.
The group is suspected of carrying out attacks since at least 2014, and may be linked to the hacking group APT27, FireEye said. UNC215 has infiltrated organizations worldwide working in government, technology, telecommunications, defense, finance, entertainment and health care. The group has targets throughout the Middle East, as well as in Europe, Asia and North America, FireEye said.
Last month, the US and allies accused China of widespread cyber espionage. In March, at least 30,000 US organizations, including local governments, were reported to have been hacked in a Chinese cyber espionage campaign that also exploited flaws in Microsoft programs.
FireEye bills itself as “the intelligence-led security company.” It said it has over 10,100 customers in 103 countries, including over half of the Forbes Global 2000 firms.
Israel has been caught between China and the US in recent years, as the two rivals seek to wield global influence while Jerusalem tries to maintain friendly relations and trade ties.
US officials have warned against Chinese investments in Israeli tech firms and involvement in Israel’s infrastructure, especially a Chinese company’s work at Haifa’s port.
China has also bid for, or been involved with, Israeli tunnel construction, railways, desalination plants, agriculture projects and 5G network infrastructure.
Israel has been working for years to expand trade with China, one of the world’s largest markets.