ioc[.]one - OSINT Cyber Threat Intelligence Database

UNC215: Spotlight on a Chinese Espionage Campaign in Israel | Mandiant

Tags

cmtmf-attack-pattern:	Acquire Infrastructure Application Layer Protocol Boot Or Logon Autostart Execution Command And Scripting Interpreter Data Encrypted Exploit Public-Facing Application Obfuscated Files Or Information Obtain Capabilities Process Injection Stage Capabilities Trusted Relationship
country:	Argentina China Iceland Iran Israel Kazakhstan Turkey Uzbekistan
maec-delivery-vectors:	Watering Hole
attack-pattern:	Acquire Infrastructure Data Direct Acquire Infrastructure - T1583 Software Discovery - T1418 Application Layer Protocol - T1437 Archive Collected Data - T1560 Archive Collected Data - T1532 Artificial Intelligence - T1588.007 Asymmetric Cryptography - T1521.002 Asymmetric Cryptography - T1573.002 Boot Or Logon Autostart Execution - T1547 Clipboard Data - T1414 Code Signing - T1553.002 Code Signing Certificates - T1587.002 Code Signing Certificates - T1588.003 Command And Scripting Interpreter - T1623 Create Or Modify System Process - T1543 Credentials - T1589.001 Dll Side-Loading - T1574.002 Domain Trust Discovery - T1482 Dynamic Data Exchange - T1559.002 Encrypted Channel - T1521 Encrypted Channel - T1573 Exploit Public-Facing Application - T1377 File And Directory Discovery - T1420 File Deletion - T1070.004 File Deletion - T1630.002 Hidden Window - T1564.003 Hide Artifacts - T1628 Hide Artifacts - T1564 Hijack Execution Flow - T1625 Hijack Execution Flow - T1574 Indicator Removal On Host - T1630 Ingress Tool Transfer - T1544 Input Capture - T1417 Install Digital Certificate - T1608.003 Inter-Process Communication - T1559 Ip Addresses - T1590.005 Keylogging - T1056.001 Keylogging - T1417.001 System Network Configuration Discovery - T1422 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Process Discovery - T1424 System Information Discovery - T1426 Obtain Capabilities - T1588 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Registry Run Keys / Startup Folder - T1547.001 Remote Desktop Protocol - T1021.001 Screen Capture - T1513 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Service Execution - T1569.002 Service Stop - T1489 Sharepoint - T1213.002 Software Discovery - T1518 Stage Capabilities - T1608 Subvert Trust Controls - T1632 Subvert Trust Controls - T1553 System Checks - T1633.001 System Checks - T1497.001 System Services - T1569 Thread Execution Hijacking - T1055.003 Windows Command Shell - T1059.003 Timestomp - T1070.006 Web Protocols - T1071.001 Web Protocols - T1437.001 Virtualization/Sandbox Evasion - T1497 Web Shell - T1505.003 Windows Service - T1543.003 Virtual Private Server - T1583.003 Virtual Private Server - T1584.003 Tool - T1588.002 Virtualization/Sandbox Evasion - T1633 Access Token Manipulation - T1134 Account Discovery - T1087 Account Manipulation - T1098 Standard Application Layer Protocol - T1071 Application Window Discovery - T1010 Clipboard Data - T1115 Code Signing - T1116 Command-Line Interface - T1059 Connection Proxy - T1090 Credential Dumping - T1003 Data Encrypted - T1022 Data From Information Repositories - T1213 Deobfuscate/Decode Files Or Information - T1140 Dll Side-Loading - T1073 Dynamic Data Exchange - T1173 Exploit Public-Facing Application - T1190 External Remote Services - T1133 File And Directory Discovery - T1083 File Deletion - T1107 Hidden Window - T1143 Indicator Removal On Host - T1070 Indirect Command Execution - T1202 Remote File Copy - T1105 Input Capture - T1056 Modify Registry - T1112 Standard Non-Application Layer Protocol - T1095 Obfuscated Files Or Information - T1027 Powershell - T1086 Process Discovery - T1057 Process Hollowing - T1093 Process Injection - T1055 Query Registry - T1012 Registry Run Keys / Start Folder - T1060 Remote Desktop Protocol - T1076 Remote Services - T1021 Screen Capture - T1113 Service Execution - T1035 System Information Discovery - T1082 System Network Configuration Discovery - T1016 System Owner/User Discovery - T1033 System Service Discovery - T1007 Valid Accounts - T1078 Timestomp - T1099 Web Shell - T1100 Trusted Relationship - T1199 Data From Information Repositories Exploit Public-Facing Application External Remote Services Indicator Removal On Host Screen Capture Service Stop Valid Accounts

Show in Graph

Common Information

Type	Value
UUID	013fc848-7565-4c13-bf54-12b532e984b1
Fingerprint	efd91d7684b120d3
Analysis status	DONE
Considered CTI value	2
Text language
Published	Aug. 10, 2021, midnight
Added to db	Nov. 19, 2023, 1:56 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	UNC215: Spotlight on a Chinese Espionage Campaign in Israel
Title	UNC215: Spotlight on a Chinese Espionage Campaign in Israel \| Mandiant
Detected Hints/Tags/Attributes	237/4/105

Source URLs

	Redirection	Url
Details	Source	https://www.mandiant.com/resources/blog/unc215-chinese-espionage-campaign-in-israel

URL Provider

Details	Provider	Source level domain
Details	mandiant.com	www.mandiant.com

RSS Feed

Details	Id	Enabled	Feed title	Url	Added to db
Details	330	✔	Threat Intelligence	https://www.mandiant.com/resources/blog/rss.xml	2024-08-30 22:08

Attributes

Details	Type	#Events	Value
Details	CVE	58	cve-2019-0604
Details	Domain	3	downloader.win
Details	Domain	18	generic.mg
Details	File	2	reformu-not-3.doc
Details	File	6	3.doc
Details	File	2	anti.exe
Details	File	7	win32.dll
Details	md5	1	0ec4d0a477ba21bda9a96d8f360a6848
Details	md5	2	04dece2662f648f619d9c0377a7ba7c0
Details	md5	1	e3e1b386cdc5f4bb2ba419eb69b1b921
Details	md5	2	c25e8e4a2d5314ea55afd09845b3e886
Details	md5	1	625dd9048e3289f19670896cf5bca7d8
Details	md5	1	3d95e1c94bd528909308b198f3d47620
Details	md5	1	f335b241652cb7f7e736202f14eb48e9
Details	md5	1	a0b2193362152053671dbe5033771758
Details	md5	1	6a9a4da3f7b2075984f79f67e4eb2f28
Details	md5	1	a19370b97fe64ca6a0c202524af35a30
Details	md5	1	3c1981991cce3b329902288bb2354728
Details	md5	1	26d079e3afb08af0ac4c6d92fd221e71
Details	md5	1	19c46d01685c463f21ef200e81cb1cf1
Details	md5	1	28ce8dbdd2b7dfd123cebbfff263882c
Details	md5	1	a78c53351e23d3f84267e67bbca6cf07
Details	md5	1	04c51909fc65304d907b7cb6c92572cd
Details	md5	1	0e061265c0b5998088443628c03188f0
Details	md5	1	09ffc31a432f646ebcec59d32f286317
Details	md5	1	6ca8993b341bd90a730faef1fb73958b
Details	md5	1	d13311df4e48a47706b4352995d67ab0
Details	md5	1	d875858dbd84b420a2027ef5d6e3a512
Details	md5	1	ac431261b8852286d99673fddba38a50
Details	md5	2	6930bd66a11e30dee1ef4f57287b1318
Details	IPv4	1	192.168.1.237
Details	IPv4	1	192.168.4.26
Details	IPv4	1	192.168.4.197
Details	IPv4	3	139.59.81.253
Details	IPv4	1	159.89.168.83
Details	IPv4	1	103.59.144.183
Details	IPv4	1	178.79.177.69
Details	IPv4	1	138.68.154.133
Details	IPv4	1	206.189.123.156
Details	IPv4	1	159.65.80.157
Details	IPv4	1	128.199.44.86
Details	IPv4	1	46.101.255.16
Details	IPv4	1	178.79.143.78
Details	IPv4	3	85.204.74.143
Details	IPv4	5	103.79.78.48
Details	IPv4	4	89.35.178.105
Details	IPv4	4	47.75.49.32
Details	IPv4	1	34.65.151.250
Details	IPv4	1	141.164.52.232
Details	Mandiant Uncategorized Groups	9	UNC215
Details	MITRE ATT&CK Techniques	173	T1003.001
Details	MITRE ATT&CK Techniques	100	T1007
Details	MITRE ATT&CK Techniques	75	T1010
Details	MITRE ATT&CK Techniques	501	T1012
Details	MITRE ATT&CK Techniques	245	T1016
Details	MITRE ATT&CK Techniques	160	T1021.001
Details	MITRE ATT&CK Techniques	627	T1027
Details	MITRE ATT&CK Techniques	230	T1033
Details	MITRE ATT&CK Techniques	440	T1055
Details	MITRE ATT&CK Techniques	20	T1055.003
Details	MITRE ATT&CK Techniques	86	T1055.012
Details	MITRE ATT&CK Techniques	118	T1056.001
Details	MITRE ATT&CK Techniques	433	T1057
Details	MITRE ATT&CK Techniques	460	T1059.001
Details	MITRE ATT&CK Techniques	333	T1059.003
Details	MITRE ATT&CK Techniques	297	T1070.004
Details	MITRE ATT&CK Techniques	93	T1070.006
Details	MITRE ATT&CK Techniques	442	T1071.001
Details	MITRE ATT&CK Techniques	306	T1078
Details	MITRE ATT&CK Techniques	1006	T1082
Details	MITRE ATT&CK Techniques	585	T1083
Details	MITRE ATT&CK Techniques	179	T1087
Details	MITRE ATT&CK Techniques	152	T1090
Details	MITRE ATT&CK Techniques	159	T1095
Details	MITRE ATT&CK Techniques	112	T1098
Details	MITRE ATT&CK Techniques	492	T1105
Details	MITRE ATT&CK Techniques	550	T1112
Details	MITRE ATT&CK Techniques	219	T1113
Details	MITRE ATT&CK Techniques	82	T1115
Details	MITRE ATT&CK Techniques	191	T1133
Details	MITRE ATT&CK Techniques	116	T1134
Details	MITRE ATT&CK Techniques	504	T1140
Details	MITRE ATT&CK Techniques	542	T1190
Details	MITRE ATT&CK Techniques	52	T1199
Details	MITRE ATT&CK Techniques	60	T1202
Details	MITRE ATT&CK Techniques	56	T1213
Details	MITRE ATT&CK Techniques	124	T1482
Details	MITRE ATT&CK Techniques	197	T1489
Details	MITRE ATT&CK Techniques	238	T1497
Details	MITRE ATT&CK Techniques	97	T1497.001
Details	MITRE ATT&CK Techniques	104	T1505.003
Details	MITRE ATT&CK Techniques	185	T1518
Details	MITRE ATT&CK Techniques	180	T1543.003
Details	MITRE ATT&CK Techniques	380	T1547.001
Details	MITRE ATT&CK Techniques	55	T1553.002
Details	MITRE ATT&CK Techniques	10	T1559.002
Details	MITRE ATT&CK Techniques	157	T1560
Details	MITRE ATT&CK Techniques	66	T1564.003
Details	MITRE ATT&CK Techniques	174	T1569.002
Details	MITRE ATT&CK Techniques	74	T1573.002
Details	MITRE ATT&CK Techniques	227	T1574.002
Details	MITRE ATT&CK Techniques	62	T1583.003
Details	MITRE ATT&CK Techniques	33	T1588.003
Details	MITRE ATT&CK Techniques	17	T1608.003
Details	Threat Actor Identifier - APT	297	APT27