An extensive cyberespionage campaign was disclosed today, targeting high-value international and U.S. government agencies and companies and emanating from an IP address associated with Tsinghua University, colloquially known as “China’s MIT.”
The actors have gone after a range of targets, including Alaska Power & Telephone, Alaska’s state Department of Natural Resources, the United Nations office in Nairobi, the Kenya Ports Authority, various Tibetan authorities, public ministry in Brazil, automotive giant Daimler AG and U.S wireless provider Safety NetAccess, among others. The targets were scanned millions of times, and are all in some way linked to China’s ongoing economic development activities, according to researchers.
A Very Active IP Address
Recorded Future’s Insikt Group first uncovered the campaign after identifying a novel Linux backdoor called “ext4,” deployed against a Tibetan victim group. In analyzing the backdoor, which was stealthily embedded in a system file, the firm noticed it making repeated attempted connections to the same compromised CentOS web server, housed in infrastructure registered to Tsinghua University.
The backdoor itself behaved unusually, which led Recorded Future deeper into the analysis. It found that the Tingshua IP that it attempts to connect back to has been involved in other efforts on the espionage front in the past, including scanning, brute-force attacks and active exploitation attempts.
“It has triggered several risk rules, including being flagged by the Taichung City Education Bureau in Taiwan, which tracks Chinese-originating malicious cyber-indicators, and appears in an AlienVault blacklist,” Recorded Future researchers explained in an in-depth analysis of the initiative [PDF], released today.
After more digging, the same IP address was observed conducting several network reconnaissance efforts against high-profile organizations – and on a notably large scale.
For instance, between April 6 and June 24, Recorded Future observed over 1 million IP connections between the Tsinghua IP and several networks in Alaska, including the Alaska Communications Systems Group, Alaska Department of Natural Resources, Alaska Power & Telephone Co., various State of Alaska government entities and TelAlaska.
“The vast number of connections between the Tsinghua IP and [these] organizations relate to the bulk scanning of ports 22, 53, 80, 139, 443, 769 and 2816 on the Alaskan networks, and were likely conducted to ascertain vulnerabilities and gain illegitimate access,” researchers said. “The scanning activity was conducted in a systematic manner with entire IP ranges dedicated to the organizations probed for [these] ports.”
It is not known if the actor’s efforts extended to actually compromising the networks or data, but the efforts to build a target map are clear.
“Our coverage did not extend to determining malware on the organization networks reported,” Moriuchi told us.
A Confusing Backdoor
The discovery of the ext4 backdoor on a Tibetan device enabled researchers to identify the wider targeting coming from the Tsinghua IP. However, none of the attempted connections to the Tibetan device from the Tsinghua IP resulted in the successful activation of the backdoor, leaving it unclear whether there are multiple threat actors using the same address, which could be a proxy.
“The backdoor was mostly inactive other than during a three-minute window every hour when it would activate and accept incoming connections on TCP port 443,” researchers said. “In total, Recorded Future’s unique coverage enabled us to observe 23 attempted connections to the same compromised CentOS server between May and June 2018. Every attempt originated from the same IP, which resolved to the China Education and Research Network Center [and Tsinghua University].”
Interestingly, ext4 packets require a unique combination of TCP header options to successfully connect with the server. In over 20 observed attempts, the Tsinghua IP did not transmit the correct TCP options to activate the backdoor, suggesting that the threat actors were making mistakes.
As the firm explained, “[Either] the Tsinghua IP is being used by a threat actor to access the ext4 backdoor, but a technical fault or operator error is resulting in the misconfiguration of the TCP connection packets required to establish communication with the backdoor; [or], the Tsinghua IP is being used extensively to conduct network reconnaissance and cyberespionage, [but] the ext4 backdoor is … likely to belong to another threat actor not engaged in the network-scanning activity.”
Chinese Economic Links
Regardless of who’s actually behind the terminal, Tingshua, one of the world’s top research and engineering schools, has been in the spotlight for cyber-capabilities in the past; Blue Lotus, a security research team composed of Tsinghua students and affiliated individuals, finished second in DEF CON’s 2016 capture the flag competition, for instance.
Recorded Future said that circumstantial evidence indicates that the espionage activities could be the work of Chinese state-sponsored actors working under the auspices of the university, given that they occurred “during times of economic dialogue or publicity around China’s investment in foreign infrastructure projects concerning China’s flagship Belt and Road Initiative (BRI).”
For instance, the spy efforts against Alaskan organizations increased following the governor of Alaska’s trade delegation trip to China in late May, dubbed “Opportunity Alaska.” Led by Alaska Gov. Bill Walker, discussions occurred around the prospect of a gas pipeline between Alaska and China.
“Organizations targeted by the reconnaissance activity were in industries at the heart of the trade discussions, such as oil and gas,” according to the paper.
The pattern repeated for each of the reconnaissance targets, she added. For instance, “The targeting of German automotive multinational Daimler AG was observed a day after it announced a profit warning in light of the growing U.S. and China trade tensions,” the firm said.
And, the Tsinghua IP scanned government departments and commercial entities in Mongolia, Kenya and Brazil, each of which are key investment destinations as part of the BRI, to which Beijing has committed $4 trillion in investment to connect major economic centers in Eurasia and beyond, a sort of digital version of the ancient Silk Road.
“We assess with medium confidence that the network reconnaissance activities we uncovered were conducted by Chinese state-sponsored actors in support of China’s economic development goals,” the firm concluded, adding that it continues to monitor the activity.