This article has been indexed from Threat Research Blog
This blog post details the post-compromise tradecraft and operational
tactics, techniques, and procedures (TTPs) of a Chinese espionage
group we track as UNC215. While UNC215’s targets are located
throughout the Middle East, Europe, Asia, and North America, this
report focuses on intrusion activity primarily observed at Israeli entities.
This report comes on the heels of the July 19, 2021, announcements
by governments in North America, Europe, and Asia and
intragovernmental organizations, such as the North Atlantic Treaty
Organization (NATO), and the European Union, condemning widespread
cyber espionage conducted on behalf of the Chinese Government. These
coordinated statements attributing sustained cyber espionage
activities to the Chinese Government corroborate our long-standing
reporting on Chinese threat actor targeting of private companies,
governments, and various organizations around the world, and this blog
post shows yet another region where Chinese cyber espionage is active.
Threat Detail
In early 2019, Mandiant began identifying and responding to
intrusions in the Middle East by Chinese espionage group UNC215. These
intrusions exploited the Microsoft SharePoint vulnerability
CVE-2019-0604 to install web shells and FOCUSFJORD payloads at targets
in the Middle East and Central Asia. There are targeting and high
level technique overlaps with between UNC215 and APT27, but we do not
have sufficient evidence to say that the same actor is responsible for
both sets of activity. APT27 has not been seen since 2015, and UNC215
is targeting many of the regions that APT27 previously focused on;
however, we have not seen direct connection or shared tools, so we are
only able to assess this link with low confidence.
In addition to data from Mandiant Incident Response and FireEye
telemetry, we worked with Israeli defense agencies to review data from
additional compromises of Israeli entities. This analysis showed
multiple, concurrent operations against Israeli government
institutions, IT providers and telecommunications entities beginning
in January 2019. During this time, UNC215 used new TTPs to hinder
attribution and detection,
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: UNC215: Spotlight on a Chinese Espionage Campaign in Israel