A Chinese APT planted false flags during attacks on Israeli organisations that aimed to convince network defenders the incidents were Iranian in origin, analysis of a live campaign by Mandiant suggests.
The hackers, tracked as UNC215, engaged in "multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019" Mandiant said, adding that it analysed their tactics, techniques, and procedures (TTPs) alongside Israeli defense agencies.
"During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region," Mandiant noted in an August 10 blog detailing its offensive techniques.
Often their initial entry point was abuse of a CVSS 9.8 RCE vulnerability (CVE-2019-0604) in Microsoft’s Sharepoint first reported in 2019. After gaining initial access, the operators conduct credential harvesting and extensive internal network reconnaissance, including scanning the internal network with a non-public scanner dubbed WHEATSCAN, before making a "a consistent effort to delete these tools and... residual forensic artifacts".
Mandiant said attributes the campaign to Chinese espionage operators that have been suspected of targeting organizations around the world since at least 2014. It targets "data and organizations which are of great interest to Beijing's financial, diplomatic, and strategic objectives." It also associates the hackers with Chinese APT27.
Chinese APT used "Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups"
"We identified numerous examples of efforts by UNC215 to foil network defenders by minimizing forensic evidence left on compromised hosts, exploiting relationships with trusted third parties, continuously improving the FOCUSFJORD backdoor, concealing command and control (C2) infrastructure, and incorporating false flags" Mandiant said. These included foreign language strings that do not match the country being targeted and the use of a custom tool associated with Iranian actors the source code of which was leaked in 2019.
"The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT groups may have been intended to mislead analysts and suggest an attribution to Iran" Mandiant said.
Among other TTPs, the threat group delivers a FOCUSFJORD malware payload containing a blob that includes C2 and other configuration data. This writes an "encrypted C2 configuration into the system’s registry, sets up a persistence mechanism and then rewrites itself on disk without the embedded configuration and with limited functionality to only read configuration data. This process enables the operators to obfuscate the configured C2 servers from automated sandbox runs or disclosure in public file scanning services."
For the full details of the campaign and TTPs, see Mandiant's blog here.