unc215

UNC215 is a Chinese cyber-espionage group tracked by Mandiant, with intrusion activity observed primarily against Israeli entities beginning in January 2019 and broader targeting assessed since at least 2014. Mandiant reported multiple concurrent operations against Israeli government institutions, IT providers, and telecommunications entities, and assessed with low confidence that UNC215 overlaps with the actor widely known as APT27, also referred to as Emissary Panda or Iron Tiger. Observed UNC215 tradecraft included exploitation of Microsoft SharePoint CVE-2019-0604 to install web shells and deploy the FOCUSFJORD backdoor. After initial access, the group conducted credential harvesting, extensive internal reconnaissance using native Windows commands and ADFind, internal network scanning with publicly available tools and the non-public scanner WHEATSCAN, and lateral movement to key systems including domain controllers and Exchange/OWA servers. In at least one case, the group pivoted to multiple OWA servers and installed web shells to harvest credentials. Mandiant also reported use of stolen credentials and RDP connections from a trusted third party to access an Israeli government network. UNC215 commonly deployed FOCUSFJORD in early intrusion stages and later deployed HYPERBRO for additional collection. HYPERBRO was described as supporting information collection including screen capture and keylogging. FOCUSFJORD stored encrypted C2 configuration in the Windows registry, established persistence, and rewrote itself on disk without embedded configuration to hinder analysis. A related utility, FJORDOHELPER, could update FOCUSFJORD configuration and remove FOCUSFJORD artifacts including registry data and persistence mechanisms. Mandiant also identified a distinct malware sample sharing code with FOCUSFJORD that appeared designed only to relay communications between FOCUSFJORD and a C2 server. The group demonstrated operational security measures including deleting tools and residual artifacts, modifying tooling to limit outbound traffic, and proxying C2 communications through victim networks. Mandiant also documented false-flag elements in UNC215 campaigns, including foreign-language strings that did not match the targeted country, use of the Iranian-associated SEASHARPEE web shell after its code was leaked, Farsi registry key names in some FOCUSFJORD samples, and a sample containing Hindi registry key names and an Arabic error string. At the same time, Mandiant noted tradecraft weaknesses including reuse of the same files, shared infrastructure across multiple victims, and frequent SSL certificate reuse on C2 servers. Mandiant assessed UNC215 is a Chinese espionage operation and believed it remained active in the region. The reporting states the group’s targeting and activity align with Chinese strategic interests in Israel and Belt and Road Initiative-related projects.