Chinese hackers posed as Iranians to breach Israeli targets, FireEye says

Spooks often like to frame others for their work.
The skyline of Tel Aviv, Israel. (Photo by Yoni Lerner/Flickr)

Suspected Chinese spies masqueraded as Iranian hackers in a two-year campaign to break into government and telecommunication networks in Israel, security firm FireEye said Tuesday.

The alleged Chinese intruders used a hacking tool previously associated with Iranian operatives, and embedded some of their malicious code with Farsi, the predominant language in Iran. It was part of a broader campaign to gather intelligence at organizations in other Middle East and Central Asian countries that has continued this year, according to FireEye.

The findings show how spies plant digital evidence in an effort to throw off investigators in the high-stakes world of espionage. The revelations come amid a period of heightened scrutiny of Chinese cyber activity: The U.S. and its European allies in July condemned China’s alleged exploitation of Microsoft software and said that it enabled ransomware attacks.

John Hultquist, vice president of threat intelligence at Mandiant FireEye, said the targeting at Israeli organizations and elsewhere has “consistent with previous Chinese government activity.” FireEye has not pinpointed which Chinese government entity may have sponsored the espionage, Hultquist added.


“It’s a good reminder there may come a day when these things fool us,” he said of digital false-flag efforts. “We have to be careful not to be myopic and focus on the incidents that are just happening in our backyard, because we miss opportunities to see the use of new tactics.”

FireEye did not identify the victims of the hacking, saying only that there were “multiple, concurrent operations against Israeli government institutions, IT providers and telecommunications entities beginning in January 2019.”

One of the most famous false-flag efforts came when, according to U.S. officials and private analysts, Russia’s GRU military intelligence agency posed as North Korean hackers to disrupt some IT services during the 2018 Olympics in South Korea.

As in that incident, the alleged Chinese hackers tracked by FireEye chose to frame a likely suspect for their activity. Israel and Iran have repeatedly blamed each other for cyberattacks on their critical infrastructure.

Sino-Iranian cyber activity isn’t unheard of, either. In December 2019, Iran’s minister of information, communications and technology blamed APT 27 — a suspected Chinese government-linked group — for a “cyberattack” on Iranian government networks. FireEye said Tuesday that the group responsible for the intrusions in Israel and other Middle East and Central Asian countries has links with APT 27.


In response to the FireEye research, Liu Pengyu, spokesperson for the Chinese Embassy in Washington, D.C., claimed that the “U.S. is the world’s largest source of cyber attacks and attacks targeting China.”

“Given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, it’s important to have enough evidence when investigating and identifying cyber-related incidents,” Liu said.

FireEye said it investigated the breaches with Israeli defense agencies. A spokesperson for the Israeli Ministry of Defense referred a request for comment to Israel’s National Cyber Directorate, which did not respond.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts