Cyber threat intelligence firm FireEye has revealed how a Chinese hacker group, dubbed UNC215, has been impersonating Iranian threat actors when targeting Israeli companies to avoid detection and attribution.
The Chinese hacker group, which FireEye believes could be related to APT27 that ceased operating in 2015, has been conducting cyber espionage campaigns targeting organisations in the Middle East and Central Asia since early 2019. UNC215 has been exploiting vulnerabilities in Microsoft Windows, using credential stuffing attacks, and deploying malware to achieve its objectives.
According to Mandiant, the hacker group exploited the Microsoft SharePoint vulnerability CVE-2019-0604 to deploy web shells and the FOCUSFJORD malware inside the networks of a number of organisations located in the Middle East, particularly Israel. The group also uses a number of tactics, techniques, and procedures (TTPs) to remove forensic evidence and to prevent attribution for their attacks.
UNC215 started targeting Israeli government institutions, IT providers, and telecommunications entities from early 2019, exploiting the Microsoft SharePoint vulnerability to gain initial access to networks and then conducting credential harvesting and extensive internal network reconnaissance. The reconnaissance activities included running native Windows commands on compromised servers, executing ADFind on the Active Directory, and scanning networks using numerous publicly available tools.
The hacker group extensively uses a couple of malware samples, namely FOCUSFJORD and HYPERBRO, with the latter featuring more information collection capabilities such as screen capture and keylogging. FOCUSFJORD is primarily used to connect to a C2 server, write its encrypted C2 configuration into the system’s registry, set up a persistent mechanism, and rewrite itself on disk without the embedded configuration to only read configuration data.
Mandiant said that UNC215 also leverages RDP connections from trusted third parties to target victim networks and also uses a tool named FJORDOHELPER to completely remove FOCUSFJORD from infected systems after an objective is accomplished. The malware is constantly updated by its authors to reduce its footprint, increase its functionality, and expand the number of supported configurations with each new update.
However, the most interesting trait of the hacker group is to impersonate other hacker groups to prevent attribution and to hide the Chinese government’s involvement in attacks on Israeli institutions. For instance, on three separate occasions, Mandiant observed UNC215 using a custom tool associated with Iranian actors whose source code was leaked. The security firm also identified FOCUSFJORD samples with registry key names in regional languages, such as Farsi, Hindi, and Arabic.
“The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups may have been intended to mislead analysts and suggest an attribution to Iran. Notably, in 2019 the government of Iran accused APT27 of attacking its government networks and released a detection and removal tool for HYPERBRO malware,” it said.
According to Mandiant, the hacker group’s list of targets match with China’s consistent strategic interest in the Middle East.”China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions—political, economic, and security—and we anticipate that UNC215 will continue targeting governments and organisations involved in these critical infrastructure projects in Israel and the broader Middle East in the near- and mid-term,” it added.