Chinese espionage in Middle East part of wider 'state cyber' trend

中國在中東的間諜活動是更廣泛的“國家網絡”趨勢的一部分

Israel, UAE, and Iran among chief targets


TAIPEI (Taiwan News) — Chinese hacker group “UNC215” is behind a widespread cyber-espionage campaign targeting multiple countries in the Middle East, according to cyber research firm FireEye.



The attacks targeted a number of countries including Israel, the United Arab Emirates, Iran, and Kazakhstan, and most notably warrant the first documented case of a large-scale Chinese attack on Israel, according to a new report released by the firm on Tuesday (Aug. 10).

Starting in early 2019, the intrusions exploited a Microsoft SharePoint vulnerability named “CVE-2019-0604” to install web shells and “FOCUSFJORD” payloads, targeting government agencies, IT services, and telecom providers. UNC215 stole large volumes of user data and carried out internal network reconnaissance through screen captures and keylogging, the report says.

The group used novel tactics to cover its tracks by exploiting trusted third parties and planting false flags to frame other state actors for the attack. As the report states, “The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups may have been intended to mislead analysts and suggest an attribution to Iran.”

FireEye says this is just one of a number of “intrusion campaigns” China has carried out against countries that lie along its Belt and Road Initiative. These operations are used to “monitor potential obstructions—political, economic, and security” to Chinese-funded critical infrastructure projects and especially in the case of Israel, investments in strategic industries like semiconductors and artificial intelligence.

The report is part of a growing body of literature that highlights a growing trend toward cyberattacks by nation-states and comes amid growing calls by the U.S. and its allies to create a joint strategy to counter such operations, especially those emanating from China.

Evolving threat

New studies have shone a light on the economic importance of cyberattacks, such as a Venafi report in June that shows cybercrime is now North Korea’s primary means of generating state revenue. The report’s author, Yana Blachman, estimates the regime generates roughly US$1 billion every year from cybercrime and is fast becoming a model for other pariah states.

States are also taking advantage of the current pandemic by phishing for COVID-19 vaccine IP data and disrupting software that operates supply chains, according to research by the University of Surrey’s Mike McGuire.

His work shows the world is closer than ever to advanced cyberconflict with nation-state cyber attacks rising 100% between 2017 and 2020. Last year’s pandemic is seen as a “significant opportunity'' for exploitation by states, according to experts McGuire interviewed.

Indeed, 2020 also saw Taiwanese security firm CyCraft uncover new threats from state-backed hackers, such as “Operation Skeleton Key” — a coordinated attack connected to infamous Chinese group “Winnti” that used a "skeleton key injector" technique to compromise seven Taiwanese chip firms over a two year period.

“This is very much a state-based attack trying to manipulate Taiwan's standing and power," Chad Duffy, a CyCraft researcher, said at the time.



Global problems, global solutions

Private industry leaders across the world are alarmed and are calling for greater protections, according to a joint report by the Economist Intelligence Unit and Cybersecurity Tech Accord, “A shifting landscape: corporate perceptions of nation-state cyber-threats."

In the survey of executives from businesses in the Asia–Pacific, Europe, and the United States, 87% of industry leaders said they "were ‘concerned’ or ‘very concerned’ about their organization falling victim to state-led or sponsored cyberattacks." Meanwhile, 85% of executives from Asia-Pacific said they were “‘more concerned’ about the threat from state actors than they were five years ago,” with most naming the pandemic as heightening the risk further.

In addition, 60% of directors said their country "only offered a ‘medium’ or ‘low’ level of protection from state-led cyberattacks."

Those surveyed expressed a desire for stronger global cooperation, many speaking of the need for an international treaty to prevent dangerous actions by states and maintain a stable online environment.

Rather than taking immediate unilateral action, the Biden administration is now trying to build consensus among members of the international community on how to respond to state-backed cyberattacks, especially those connected to China, U.S. National Security Council Adviser Anne Neuberger said at the recent Aspen Security Forum on Wednesday (Aug. 4).