Security News > 2021 > August > Chinese espionage group targets Israel while suggesting the source could be Iran

Chinese espionage group targets Israel while suggesting the source could be Iran
2021-08-11 07:32

Security vendor FireEye says it has spotted a Chinese espionage group that successfully compromised targets within Israel, and that trying to make its efforts look like the work of Iranian actors is part of the group's modus operandi.

A FireEye blog post states the Chinese activity has been ongoing since 2019, when a group it names "UNC215" used the Microsoft SharePoint vulnerability CVE-2019-0604 "To install web shells and FOCUSFJORD payloads at targets in the Middle East and Central Asia".

UNC215 changed tactics, techniques, and procedures through its ongoing campaign, but is consistently fond of installing web shells and attacking Exchange and Outlook Web Access, and has been observed stealing credentials to go about its unpleasant work.

"After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD," wrote FireEye's security team.

On one occasion FireEye observed "An operator repeatedly and infrequently revisited a compromised network whenever an Endpoint Detection and Response tool detected or quarantined tools like HYPERBRO and Mimikatz. After several months of repeated detections, UNC215 deployed an updated version of HYPERBRO, and a tool called 'anti.exe' to stop Windows Update service and terminate EDR and Antivirus related services."

"China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions - political, economic, and security - and we anticipate that UNC215 will continue targeting governments and organizations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term."


News URL

https://go.theregister.com/feed/www.theregister.com/2021/08/11/china_unc215_israel_attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-03-05 CVE-2019-0604 Improper Input Validation vulnerability in Microsoft products
A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka 'Microsoft SharePoint Remote Code Execution Vulnerability'.
network
low complexity
microsoft CWE-20
7.5