An investigation carried out by the American cybersecurity firm FireEye in cooperation with the Israeli military into a large-scale cyberattack targeting the Israeli government, technology companies, and telecommunication firms revealed that the culprits posed as Iranian operatives but were most probably Chinese. 

In a report published this week, FireEye security investigators referred to the hackers as UNC215. The investigators listed their suspicions focusing on China while noting that there is insufficient evidence to link the espionage group to the Chinese state. The company’s threat analysts suspected China as the targets “are of great interest to Beijing’s financial, diplomatic, and strategic objectives”. These targets overlap with those of other Chinese hacking groups, which do not always coincide with the interests of known Iranian hackers.

“You can create significant deception, but ultimately you have to target what interests you,” John Hultquist, vice president of threat intelligence at FireEye, said. “That will provide information on who you are because of where your interests are.”

The report stated that the hackers attempted to use Farsi in the parts of code that could be recovered by incident response teams, and also used hacking tools associated with Iranian groups that had previously been leaked online.

However, linguistic analysts at FireEye said the terms chosen by the group wouldn’t have been used by native Farsi speakers.

“The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran,” the report said.

While leaving hints that they were Iranian, the hackers also put great effort into concealing their identity by minimizing the forensic evidence they left on compromised computers,

 FireEye’s threat analysts stated that they are confident that the espionage group is Chinese and that its targets “are of great interest to Beijing’s financial, diplomatic, and strategic objectives”.

If Chinese hackers were behind the cyberattack, this would be the first case of a large-scale Chinese hack against Israel. It comes in the wake of a set of multibillion-dollar Chinese investments in the Israeli tech industry that were made as part of Beijing’s Belt and Road Initiative. 

The OBOR initiative is a global development strategy adopted by the Chinese government in 2013 involving infrastructure development and investments in nearly 70 countries and international organizations in Asia, Europe, and Africa. The project is all-encompassing and comprehensive, focused on creating transportation and telecommunication trade infrastructure with the goal of creating a China-based global economy. 

FireEye’s report stated: “This cyber-espionage activity is happening against the backdrop of China’s multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel’s robust technology sector.

“China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions [including] political, economic, and security,” the company said, adding that it anticipates China will “continue targeting governments and organizations involved in these critical infrastructure projects”.

The Trump administration warned that OBOR investments by China would open up security threats.

The report stated that Chinese hackers also attempted to infiltrate computer networks in the UAE and elsewhere.