Chinese Hackers Used Cyber-disguising Technology Against Israel,
August 19, 2021
A major cybersecurity firm says it believes Beijing-backed hackers
carried out cyberattacks on Israel while pretending to be operating
from Israel's archrival, Iran.
U.S. cybersecurity firm FireEye said on August 10 that a study it
conducted in cooperation with the Israeli military found that
"UNC215," described by FireEye as a spy group suspected of being
from China, had hacked into Israeli government networks after using
remote desktop protocols (RDPs) to steal credentials from trusted
third parties. RDPs enable a hacker to connect to a computer from
afar and see the "desktop" of the remote device.
FireEye data, along with information shared by Israel’s defense
agency, show that starting in January 2019, UNC215 carried out a
number of concurrent attacks "against Israeli government
institutions, IT providers, and telecommunications entities,"
according to the report.
Mandiant: Chinese hackers masquerading as Iranians
FireEye’s report comes shortly after a July 19 joint statement by
the U.S., the European Union and NATO accusing China of "a pattern
of malicious cyber activity" aimed at entities ranging from foreign
governments to private companies globally.
In 2019 and 2020, when hackers allegedly broke into the computers of
the Israeli government and technology companies, investigators
looked for clues to find those responsible for the cyberattacks. The
initial evidence pointed directly to Iran, Israel's geopolitical
rival. Hackers used tools commonly associated with Iranians and
wrote in Farsi.
But after further scrutiny of the evidence and the information
gathered from other cyberespionage cases in the Middle East, the
investigators realized that it was not an Iranian operation.
Instead, the evidence suggested the attacks were carried out by
Chinese agents posing as Iranian hackers.
John Holtquist, vice president of threat intelligence at FireEye,
told VOA that Mandiant, a cybersecurity operation owned by FireEye,
"attributes this campaign to Chinese espionage operators, which
operate on behalf of the Chinese government."
The tactics used by hackers include using a file path that contains
the word “Iran,” according to the study. At the same time, the
attackers made every effort to protect their true identity,
minimizing the forensic evidence they had left on compromised
computers and hiding the infrastructure they used to break into
According to Holtquist, the deception efforts may appear to be
effective; however, even if a single attack may be successfully
misattributed, it becomes increasingly difficult to hide the
hackers’ identities if multiple attacks are carried out.
Liu Pengyu, a spokesperson for the Chinese embassy in Washington,
challenged the FireEye findings in an interview with the website
"Given the virtual nature of cyberspace and the fact that there are
all kinds of online actors who are difficult to trace, it’s
important to have enough evidence when investigating and identifying
cyber-related incidents," he said.
Chris Kubecka, chair of the cyber program at the Middle East
Institute (MEI), a Washington-based research institute, suggested
that FireEye's conclusion that Beijing-backed hackers were
responsible may have been too hasty.
"FireEye is not really in a position to prove attribution. That
position is for governments after a proper investigation," she said.
Kubecka, however, also pointed out that all too often, nation-state
incidents make their attacks look like other countries or regimes
through "code comment" language, appearing as a different country or
using code from another piece of malware to divert blame. A
"comment," a term used in computer programming, is
programmer-readable and makes the source code easier to understand
If confirmed, what are Beijing's intentions?
Kubecka told VOA that if the Chinese government was responsible for
the cyberattacks, it could be part of a long game of splitting the
Middle East politically through infrastructure and trade deals. She
said the Chinese government has shown an appetite for acquiring and
copying technology, with the goal of benefiting Chinese businesses
and ultimately the Chinese economy by reducing development costs.
During the administration of President Donald Trump, the U.S.
accused Chinese companies and workers of stealing American
technology and trade secrets. In 2019, the Chinese tech giant Huawei
was charged by U.S. federal prosecutors with stealing trade secrets
from U.S. company T-Mobile.
"Currently, most Middle East and especially GCC (Gulf Cooperation
Council) countries don't want to be pulled into the political game
that has affected the USA and China. Posing as a well-known
destabilizing country via cyberattacks could achieve long-term goals
for the Chinese government in the region," she said.
Denny Roy, a senior fellow at the Washington-based East-West Center
research organization, told VOA that this is an indication of the
depth of China’s commitment to cybertheft as part of China’s
national development strategy: The top leadership blesses it despite
the possibility of offending important trade or political partners,
in this case, Israel.
“It suggests Chinese hubris — that Beijing thinks China’s economic
importance to the world allows China to get away with almost
anything. The more China aspires to be a global great power, the
more it will encounter contradictory pressures in its foreign
policy, such as trying to simultaneously portray itself as a friend
to both Israel and Iran,” Roy added.
Holtquist argued that this cyber espionage activity is happening
against the backdrop of China’s multibillion-dollar investment
related to the Belt and Road Initiative and its interest in Israel’s
According to FireEye’s report, "Chinese companies have invested
billions of dollars into Israeli technology startups, partnering or
acquiring companies in strategic industries like semi-conductors and
artificial intelligence." The report continued: "As China’s BRI
(Belt and Road Initiative) moves westward, its most important
construction projects in Israel are the railway between Eilat and
Ashdod, a private port at Ashdod, and the port of Haifa."
Richard Weitz, director of the Center for Political-Military
Analysis with the Hudson Institute, a U.S.-based research group,
told VOA that China is one of the few countries in the world that
enjoys good relations with Israel, Iran and Saudi Arabia.
"These good relations should be able to survive intermittent
incidents like the recent cyber hacking, but one variable beyond
China’s control is the position of the United States. If Washington
presses its partners like Israel to make choices, then China’s
balance act may no longer prove viable," he said.