London Daily

Focus on the big picture.
Saturday, May 31, 2025

Chinese cyber spies 'posed as Iranians while targeting Israeli government'

Chinese cyber spies 'posed as Iranians while targeting Israeli government'

According to threat intelligence researchers, the hackers attempts to conceal their origin was more likely an effort to slow down response efforts than actually frame Iran.

A cyber espionage group from China masqueraded as Iranian hackers while breaking into and spying on Israeli government institutions, according to a new report by security researchers.

The report from security company FireEye, which unmasked the group alongside Israeli defence agencies, says there is insufficient evidence to link the espionage group to the Chinese state.

However, the company's threat analysts are confident that the espionage group is Chinese and that its targets "are of great interest to Beijing's financial, diplomatic, and strategic objectives".

The hackers' attempt to conceal their nationality was "a little bit unusual", according to Jens Monrad, who heads the work of FireEye's threat intelligence division Mandiant in EMEA.

"We have seen historically a few false flag attempts. We saw one during the Olympics in South Korea," he told Sky News, referencing Russian hackers pretending to be Chinese and North Korean.

"There might be several reasons why a threat actor wants to do a false flag - obviously it makes the analysis a bit more complex," Mr Monrad told Sky News.

The report focused on cyber spying targeting Israeli government institutions, IT providers, and telecommunications entities, but the group had additionally attempted to hack computer networks in the UAE and elsewhere.

Mr Monrad said the attempt to conceal the hackers' identity "wasn't very clever" but did slow the company's analysis of these incidents, which he added may have been the goal.

The Chinese group attempted to use Farsi in the parts of code which could be recovered by incident response teams, and also used hacking tools associated with Iranian groups that had previously been leaked online.

However, linguistic analysts at FireEye said the terms chosen by the group wouldn't have been used by native Farsi speakers.

"The use of Farsi strings, filepaths containing /Iran/, and web shells publicly associated with Iranian APT [Advanced Persistent Threat] groups may have been intended to mislead analysts and suggest an attribution to Iran," the report said.

FireEye said that although this group and the known state-sponsored group designated APT 27 had some overlaps, particularly in their targets, the company could only have low confidence in linking them together.

The Iranian government accused APT 27 of hacking into its networks in 2019.

Though the report was published this week, the hacking activities precede a warning in July from President Joe Biden about the growing likelihood of the US ending up in "a real shooting war with a major power" as a result of a cyber attack.

Speaking to Sky News previously - following then British defence secretary Gavin Williamson claiming that Moscow could cause "thousands and thousands and thousands" of deaths in the UK with a cyber attack - Mr Monrad cautioned that military responses to such an attack would requite a "very high certainty of attribution".

The new group, designated UNC 215 - meaning it is unclassified as either a state-sponsored group or one operating independently - also used the Hindi language and Arabic when targeting Uzbekistan.

FireEye's report stated: "This cyber espionage activity is happening against the backdrop of China's multi-billion-dollar investments related to the Belt and Road Initiative (BRI) and its interest in Israel's robust technology sector.

"China has conducted numerous intrusion campaigns along the BRI route to monitor potential obstructions [including] political, economic, and security," the company said, adding that it anticipates China will "continue targeting governments and organisations involved in these critical infrastructure projects".

The report follows the UK and allies accusing China of "systematic cyber sabotage" following an espionage operation earlier this year which also allowed criminals, potentially including those which Beijing used as contractors, to access the affected servers.

At the time, Chinese foreign ministry spokesman Zhao Lijian said: "The US ganged up with its allies and launched an unwarranted accusation against China on cybersecurity. It is purely a smear and suppression out of political motives. China will never accept this."

Newsletter

Related Articles

0:00
0:00
Close
Satirical Sketch Sparks Political Spouse Feud in South Korea
Indonesia Quarry Collapse Leaves Multiple Dead and Missing
South Korean Election Video Pulled Amid Misogyny Outcry
Asian Economies Shift Away from US Dollar Amid Trade Tensions
Netflix Investigates Allegations of On-Set Mistreatment in K-Drama Production
US Defence Chief Reaffirms Strong Ties with Singapore Amid Regional Tensions
Vietnam Faces Strategic Dilemma Over China's Mekong River Projects
Malaysia's First AI Preacher Sparks Debate on Islamic Principles
White House Press Secretary Criticizes Harvard Funding, Advocates for Vocational Training
France to Implement Nationwide Smoking Ban in Outdoor Spaces Frequented by Children
Meta and Anduril Collaborate on AI-Driven Military Augmented Reality Systems
Russia's Fossil Fuel Revenues Approach €900 Billion Since Ukraine Invasion
U.S. Justice Department Reduces American Bar Association's Role in Judicial Nominations
U.S. Department of Energy Unveils 'Doudna' Supercomputer to Advance AI Research
U.S. SEC Dismisses Lawsuit Against Binance Amid Regulatory Shift
Alcohol Industry Faces Increased Scrutiny Amid Health Concerns
Italy Faces Population Decline Amid Youth Emigration
U.S. Goods Imports Plunge Nearly 20% Amid Tariff Disruptions
OpenAI Faces Competition from Cheaper AI Rivals
Foreign Tax Provision in U.S. Budget Bill Alarms Investors
Trump Accuses China of Violating Trade Agreement
Gerry Adams Wins Libel Case Against BBC
Russia Accuses Serbia of Supplying Arms to Ukraine
EU Central Bank Pushes to Replace US Dollar with Euro as World’s Main Currency
Chinese Woman Dies After Being Forced to Visit Bank Despite Critical Illness
President Trump Grants Full Pardons to Reality TV Stars Todd and Julie Chrisley
Texas Enacts App Store Accountability Act Mandating Age Verification
U.S. Health Secretary Ends Select COVID-19 Vaccine Recommendations
Vatican Calls for Sustainable Tourism in 2025 Message
Trump Warns Putin Is 'Playing with Fire' Amid Escalating Ukraine Conflict
India and Pakistan Engage Trump-Linked Lobbyists to Influence U.S. Policy
U.S. Halts New Student Visa Interviews Amid Enhanced Security Measures
Trump Administration Cancels $100 Million in Federal Contracts with Harvard
SpaceX Starship Test Flight Ends in Failure, Mars Mission Timeline Uncertain
King Charles Affirms Canadian Sovereignty Amid U.S. Statehood Pressure
Trump Threatens 25% Tariff on iPhones Amid Dispute with Apple CEO
Putin's Helicopter Reportedly Targeted by Ukrainian Drones
Liverpool Car Ramming Incident Leaves Multiple Injured
Australia Faces Immigration Debate Following Labor Party Victory
Iranian Revolutionary Guard Founder Warns Against Trusting Regime in Nuclear Talks
Macron Dismisses Viral Video of Wife's Gesture as Playful Banter
Cleveland Clinic Study Questions Effectiveness of Recent Flu Vaccine
Netanyahu Accuses Starmer of Siding with Hamas
Junior Doctors Threaten Strike Over 4% Pay Offer
Labour MPs Urge Chancellor to Tax Wealthy Over Cutting Welfare
Publication of UK Child Poverty Strategy Delayed Until Autumn
France Detains UK Fishing Vessel Amid Post-Brexit Tensions
Calls Grow to Resume Syrian Asylum Claims in UK
Nigel Farage Pledges to Reinstate Winter Fuel Payments
Boris and Carrie Johnson Welcome Daughter Poppy
×