China has hacked dozens of Israeli public and private sector groups as well groups in Iran, Saudi Arabia and a variety of other countries, the international cybersecurity company FireEye announced Tuesday.
The massive cyber attack appears to be part of a long-term spying strategy in the area of technology and business competition and advancement, rather than a desire to harm any of the target countries or businesses.
According to FireEye, Beijing does not discriminate along any of the fault lines in the region, using its cyber tools to spy on a wide array of Middle Eastern countries, which are often at odds with each other, while all doing business with China.
The goal seems to have been to gain intelligence into achieving better negotiation outcomes in terms of pricing by viewing internal email discussions and assessments, and to appropriate certain key technological developments where possible.
In addition, the attack is tied to cyber exploitation of holes in Microsoft’s SharePoint, announced by the Israel National Cyber Directorate (INCD) in 2019. Its maximum impact is not currently being felt.
The INCD tends not to name specific countries involved and would not name China on Tuesday.
The revelation was a joint effort by FireEye and Mandiant.
Mandiant, a part of FireEye, says it “brings together the world’s leading intelligence threat and frontline expertise with continuous security validation to arm organizations with the tools needed to increase security effectiveness.”
Estimates are that some public and private sector Israeli entities started to repel the attack once the SharePoint vulnerability was announced in 2019, but that in other cases, Chinese spying in Israel continued deep into 2020.
The timing of the current announcement seemed to dovetail with the announcement by governments in Europe, Asia, the US and NATO in July of a similar massive cyber attack carried out by China.
The report said that Mandiant and FireEye “worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities.”
During this time, Chinese espionage group UNC215 “used new TTPs [Tactics, Techniques and Procedures] to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement.”
Mandiant said it “believes this adversary is still active in the region,” even if the specific kind of attack may not be its current major cyber spying move.
According to the report, UNC215 operators “conduct credential harvesting and extensive internal network reconnaissance post-intrusion. After identifying key systems within the target network, such as domain controllers and Exchange servers, UNC215 moved laterally and deployed their signature malware FOCUSFJORD.”
“UNC215 often uses FOCUSFJORD for the initial stages of an intrusion, and then later deploys HYPERBRO, which has more information collection capabilities such as screen capture and keylogging” said the report.
Next, the report said that UNC215 made several attempts to foil network defenders, such as “Cleaning up evidence of their intrusion after gaining access to a system - This type of action can make it more difficult for incident responders to reconstruct what happened.”
Further, UNC215 exploited “trusted third parties in a 2019 operation targeting an Israeli government network - The operators were able to access their primary target via RDP [Remote Desktop Protocol] connections from a trusted third party using stolen credentials and used this access to deploy and remotely execute FOCUSFJORD on their primary target.”
Most creatively, the report said UN215 planted “false flags, such as using Farsi strings to mislead analysts and suggest an attribution to Iran.”
China generally denies attribution on the record, but off-the-record complains that the US and other countries have a double standard, saying that even if US businesses do not engage in espionage, the NSA does.
However, tolerance for Chinese cyber attacks has declined globally as the country’s popularity has plummeted following its handling of the coronavirus crisis, Hong Kong, issues in the South China Sea and accusations of war crimes in its treatment of the Muslim Uyghurs in China.
Israel has maintained high level business connections with Beijing. Chinese companies have invested billions of dollars in Israeli technology start-ups, partnering or acquiring companies in strategic industries like semiconductors and artificial intelligence.
China is also building the railway between Eilat and Ashdod, a private port at Ashdod, and is on the verge of opening a massive new port in Haifa.
But Jerusalem has started to re-balance some of its dealings with China, opting out of cooperation in the application of 5G and other arenas, while avoiding public confrontations.
Former INCD chief Buky Carmeli confirmed to The Jerusalem Post in August 2018 that China and other cyber powerhouses were involved in spying throughout the Israeli public and private sectors, but that they had not reached the state’s “crown jewels” in digital terms.
The Chinese Embassy responded to the report, saying: “The FireEye report’s baseless accusations against China on cybersecurity issues are defamation for political purposes. China is a staunch upholder of cybersecurity. It has always firmly opposed and combated cyber attacks launched within its borders or with its network infrastructure.
“In fact, China is a major victim of cyberattacks. According to statistics from China’s National Computer Network Emergency Response Technical Team, about 52,000 malicious program command and control servers located outside China took control of about 5.31 million computer hosts in China in 2020, which seriously undermined,” China, said the Embassy
It concluded: “We hope Israeli friends and media outlets can make a clear distinction between right and wrong and refrain from providing platforms for rumors.”
The Prime Minister’s Office declined to respond.
The INCD said, “The State of Israel experiences many daily attempts at cyber attacks on a range of targets. Without addressing the identity of the attacker regarding who the report tries to identify, the events described in the report occurred in the past, were handled at the time and probed.”
“The authority even issued a warning at the time regarding the vulnerability described in the report regarding SharePoint and took steps to reduce” the impact on the Israeli economy.