China watchChinese Hackers Used Cyber-Disguising Technology against Israel: Report

By Forest Cong

A major cybersecurity firm says it believes Beijing-backed hackers carried out cyberattacks on Israel while pretending to be operating from Israel’s archrival, Iran. 

U.S. cybersecurity firm FireEye said on August 10 that a study it conducted in cooperation with the Israeli military found that “UNC215,” described by FireEye as a spy group suspected of being from China, had hacked into Israeli government networks after using remote desktop protocols (RDPs) to steal credentials from trusted third parties. RDPs enable a hacker to connect to a computer from afar and see the “desktop” of the remote device. 

FireEye data, along with information shared by Israel’s defense agency, show that starting in January 2019, UNC215 carried out a number of concurrent attacks “against Israeli government institutions, IT providers, and telecommunications entities,” according to the report.   

Mandiant: Chinese Hackers Masquerading as Iranians
FireEye’s report comes shortly after a July 19 joint statement by the U.S., the European Union and NATO accusing China of “a pattern of malicious cyber activity” aimed at entities ranging from foreign governments to private companies globally.    

In 2019 and 2020, when hackers allegedly broke into the computers of the Israeli government and technology companies, investigators looked for clues to find those responsible for the cyberattacks. The initial evidence pointed directly to Iran, Israel’s geopolitical rival. Hackers used tools commonly associated with Iranians and wrote in Farsi.   

But after further scrutiny of the evidence and the information gathered from other cyberespionage cases in the Middle East, the investigators realized that it was not an Iranian operation. Instead, the evidence suggested the attacks were carried out by Chinese agents posing as Iranian hackers.  

John Holtquist, vice president of threat intelligence at FireEye, told VOA that Mandiant, a cybersecurity operation owned by FireEye, “attributes this campaign to Chinese espionage operators, which operate on behalf of the Chinese government.”   

The tactics used by hackers include using a file path that contains the word “Iran,” according to the study. At the same time, the attackers made every effort to protect their true identity, minimizing the forensic evidence they had left on compromised computers and hiding the infrastructure they used to break into Israeli computers.  

According to Holtquist, the deception efforts may appear to be effective; however, even if a single attack may be successfully misattributed, it becomes increasingly difficult to hide the hackers’ identities if multiple attacks are carried out.