Tuesday, August 10, 2021

China's massive cyberattack against Israel

From Haaretz:

Dozens of Israeli organizations, both public and private, fell victim to a coordinated cyberattack that most likely originated in China, the international cybersecurity company FireEye announced Monday.

This is the first documented case of a large-scale Chinese attack on Israel. It was part of a broader campaign that targeted many other countries, including Iran, Saudi Arabia, Ukraine, Uzbekistan and Thailand. FireEye has been monitoring the operation for two years.

According to the company’s report, the Israeli targets came from the fields of shipping, high-tech, telecommunications, defense, academia and information technology. IT companies are particularly sought-after targets because they are what is known as a supply chain threat – meaning that through them, the hackers can reach many other companies.

The attacks were aimed at stealing know-how, commercial secrets and business intelligence.

Sanaz Yashar, who led FireEye’s investigation into Israeli targets, said that one possible factor in the attacks is China’s Belt and Road Initiative, which is meant to create a continuous land and water route around the world for Chinese products. This initiative “is connected with huge infrastructure projects in which China is involved, including in Israel, like ports or railroads,” she explained.

“Another Chinese interest in Israel is its technology sector,” Yashar said. “There are a lot of Israeli companies that are involved in the very fields at the core of Chinese interests, as reflected in their five-year plans.

“Their goal isn’t necessarily always to steal intellectual property; it’s possible that they’re actually looking for business information,” she added. “In the Chinese view, it’s legitimate to attack a company while negotiating with it, so they will know how to price the deal properly.

“When the Chinese do business, they don’t enter the contract with their eyes shut. They examine the other offers, the board of directors’ emails, correspondence among people, what the intrigues are and who the key people are.”

Yashar said the Chinese are most likely interested in know-how in fields such as cybersecurity, renewable energy, agricultural technologies and 5G communications. “Anyone who does business with China also interests them,” she added.

The hackers mainly took email correspondence and documents, Yashar said. “This attacker was specifically interested in emails, vacuuming up huge quantities of emails. We see that immediately after entering, they mapped the network and looked for document and email servers.”

They also seized usernames and passwords – possibly to be able to reenter the same targets later on, or possibly to enable them to enter different targets.

By analyzing the hacking tools used and comparing them to similar attacks in the past, FireEye concluded that China’s Ministry of State Security was behind the attack.
From the description given, this wasn't an "attack" per se - it was a huge reconnaissance mission. 

China recognizes the value of information and is not shy about using any means to obtain it. To them, stealing emails and passwords is how other people think about using search engines. 

Israel is working with China on critical infrastructure projects - a new railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa. There is no doubt that China wants to leverage those into more espionage and intelligence. Moreover, China partners with many Israeli high tech companies that they no doubt are extracting information from. 

Israel must be far more cautious about partnering with China. The Haaretz article indicates that Israel may be waking up to that fact, seeming to stop a couple of major deals for Chinese companies to buy an Israeli mobile operator and an insurance company.

The FireEye report describes how China is getting more and more sophisticated at trying to hide its tracks. For example, it autotranslated some of the artifacts in its attack tools into Farsi so make Israelis think this was an Iranian attack. (The language was stilted and used terms that native Farsi speakers wouldn't use.) They also wrote tools specifically to clean up indications that they were ever in computer systems to begin with.