UNC215 Chinese Cyber-Espionage

According to research published recently, a Chinese espionage group named UNC215 leveraged Remote Desktop Protocols to gain a¬¬¬¬ccess to an Israeli government network using stolen credentials from trusted third parties.

What is SharePoint?

SharePoint is a website-based collaboration system developed by Microsoft that uses workflow applications, “list” databases, and other web parts and security features to empower business teams to work together. SharePoint also gives the company using the platform the ability to control access to information and automate workflow processes across business units.

An Example of SharePoint Farm

An Example of SharePoint Farm

What is a SharePoint Farm?

A SharePoint farm is a collection of servers that work in concert to provide a set of basic SharePoint services to support a single site, it can be hosted on the cloud, on a company’s private data center or across multiple data centers across multiple locations which could be useful for the organization with employees across the globe.

What is CVE-2019-0604?

It’s a remote code execution vulnerability which exists in the SharePoint application, when the software fails to check the source markup of an application package. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.


They were initially found in a sample from the SysUpdate malware family by NCC [National Computing Centre] Group in the year 2018, it is used for creating backdoors into Windows computers. They are also known by the names HyperSSL and Soldier

What is UNC215?

UNC215 is a Chinese espionage group responsible for a cyberattack on Israeli organizations and government institutions that began in 2019. They used false-flags to disguise themselves as Iran-linked threat actors. These attacks exploited the Microsoft SharePoint Vulnerability [CVE-2019-0604] to gain access into their systems which were used to install web shells and FOCUSFJORD payloads at targets located in Middle East and Central Asia, their targeting and techniques overlap with those of UNC215 and APT27 who are known to be located in China.As per a security report published by Mandiant:

APT27 has not been seen since 2015, and UNC215 is targeting many of the regions that APT27 previously focused on; however, we have not seen direct connection or shared tools, so we are only able to assess this link with low confidence
After gaining access to their infrastructure, the attackers performed an extensive reconnaissance on the internal network to harvest the credentials for malicious purposes, according to the experts they used a non-public network scanner called wheatscan along with FOCUSFJORD and HYBERBRO for creating a web-shell & logging keystrokes to spy on internal systems and maintain persistence with the target organization respectively.
The group was very sophisticated and spent a significant effort to fly under the radar, such as removing malware artifacts and using false flags. The main reason for this cyber espionage was to monitor potential obstructions against the BRI [Belt & Road Initiative] for which China has several billion dollars’ worth of investment.

Tagged in : cyber espionagevulnerabilitiesUNC215sharepointmicrosoft

Dave Zachariah

Dave has been a passionate entrepreneur since the age of 16 and is currently working at Cyber Efficient with the goal of making businesses easier.