In early 2019, Mandiant began identifying and responding to intrusions in the Middle East by Chinese espionage group UNC215. These intrusions exploited a Microsoft SharePoint vulnerability to install webshells and FOCUSFJORD payloads at targets in the Middle East and Central Asia.
In addition to data from Mandiant Incident Response and FireEye telemetry, Mandiant worked with Israeli defence agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new tactics, techniques, and procedures to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. Mandiant believes this adversary is still active in the region.
A detailed look into how UNC215 operates revealed that the operators conduct credential harvesting and extensive internal network reconnaissance post-intrusion. After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD. UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging. While UNC215 heavily relies on the custom tools FOCUSFJORD and HYPERBRO, Chinese espionage groups often have resource sharing relationships with other groups.
UNC215 made several attempts to foil network defenders, such as –
- Cleaning up evidence of their intrusion after gaining access to a system – This type of action can make it more difficult for incident responders to reconstruct what happened during a compromise.
- Exploiting trusted third parties in a 2019 operation targeting an Israeli government network – The operators were able to access their primary target via RDP connections from a trusted third party using stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary target.
- Making technical modifications to their tools to limit outbound network traffic and used other victim networks to proxy their command-and-control instructions, likely to minimise the risk of detection and blend in with normal network traffic.
- Planting false flags, such as using farsi strings to mislead analysts and suggest an attribution to Iran.
While UNC215 prioritises evading detection within a compromised network, Mandiant identified several examples of code, C&C infrastructure, and certificate reuse, indicating that UNC215 operators are less concerned about defenders’ ability to track and detect UNC215 activity.
Mandiant attributes this campaign to Chinese espionage operators, which they track as UNC215 – a Chinese espionage operation suspected of targeting organisations worldwide since 2014. UNC215 has compromised organisations in the government, technology, telecommunications, defence, finance, entertainment, and health care sectors. The group targets data and organisations of great interest to Beijing’s financial, diplomatic, and strategic objectives.
The activity demonstrates China’s consistent strategic interest in the Middle East. This cyber-espionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israeli’s robust technology sector.
China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions – political, economic, and security – and Mandaint anticipates that UNC215 will continue targeting governments and organisations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term.