Cyber intelligence company FireEye published research attributing cyberattacks against Israeli organizations, including security-related ones, to Chinese intelligence. The activity is said to be aimed at obtaining Israeli technology and furthering the political interests of Beijing

"Between 2019 and 2020, Mandiant responded to several incidents," the report said. "After gaining initial access, the operators conduct credential harvesting and extensive internal network reconnaissance. This includes running native Windows commands on compromised servers, executing ADFind on the Active Directory, and scanning the internal network with numerous publicly available tools and a non-public scanner we named WHEATSCAN. The operators made a consistent effort to delete these tools and remove any residual forensic artifacts from compromised systems."

According to the report, the hacker group operated in Israel, Iran, the United Arab Emirates, Kazakhstan and other countries. The report attributes the Chinese activity in Israeli cyberspace to investments that China is making in Israel under its "Belt and Road Initiative", as well as to China's desire for Israeli technology. "As China’s BRI moves westward, its most important construction projects in Israel are the railway between Eilat and Ashdod, a private port at Ashdod, and the port of Haifa," the researchers wrote.   

"In addition to data from Mandiant Incident Response and FireEye telemetry, we worked with Israeli defense agencies to review data from additional compromises of Israeli entities. This analysis showed multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019. During this time, UNC215 used new TTPs to hinder attribution and detection, maintain operational security, employ false flags, and leverage trusted relationships for lateral movement. We believe this adversary is still active in the region."