Insikt Group has detected separate intrusion activity targeting a mail server of Roshan, one of Afghanistan’s largest telecommunications providers, linked to 4 distinct Chinese state-sponsored threat activity groups. This includes activity we attribute to the Chinese state-sponsored groups RedFoxtrot and Calypso APT, as well as 2 additional clusters using the Winnti and PlugX backdoors that we have been unable to link to established groups at this time. Notably, data exfiltration activity for these intrusions, particularly the Calypso APT activity and the unknown threat actor using the Winnti malware, spiked throughout August and September 2021, coinciding with major geopolitical events such as the withdrawal of US troops and a resurgence in Taliban control. This focus on intelligence gathering targeting one of Afghanistan’s largest telecommunications providers is likely in part driven by the Chinese Communist Party’s (CCP) purported desire to expand influence within Afghanistan under renewed Taliban rule. The telecommunications firm offers a hugely valuable platform for strategic intelligence collection, be it for monitoring of downstream targets, bulk collection of communication data, as well as the ability to track and monitor individual targets. Moreover, the Chinese government considers the telecommunications sector to be of strategic significance in countries participating in the Belt and Road Initiative.

Timeline of Activity

Insikt Group tracks and regularly reports on a range of Chinese state-sponsored threat activity groups, exemplified by our recent RedFoxtrot reporting in June 2021. One of the methods used to track these groups combines adversary infrastructure detection methods and Recorded Future Network Traffic Analysis (NTA) data. Through our tracking of malicious infrastructure associated with known Chinese state-sponsored actors, we identified multiple concurrent intrusions targeting Roshan over the past year linked to 4 separate activity groups:

• The earliest identified activity targeting Roshan is linked to the suspected Chinese state-sponsored group Calypso APT, and has been ongoing from at least July 2020 to September 2021, and was first reported by Insikt Group in August last year.
• More recently, the same Roshan server was identified communicating with RedFoxtrot PlugX command and control infrastructure from at least March to May 2021. During this time, RedFoxtrot was also identified targeting a second Afghan telecommunications organization.
• Two more clusters were also engaged in the targeting of the same Roshan mail server. These are referred to as the Winnti and PlugX clusters respectively and are outlined further in the sections below. Both of these clusters appear unrelated to each other or the Calypso APT and RedFoxtrot activity, but we have been unable to link them to a tracked activity group at this time.

The targeting of the same organization by activity groups under the same state sponsorship is not unusual, particularly for Chinese adversaries. Many of these groups have separate intelligence requirements and, due to the scale of the Chinese intelligence apparatus, are often not coordinated in their targeting and collection. In this case, as visible in Figure 1, there has been an increase in data exfiltration events associated with the Calypso APT and Winnti intrusions in August and September 2021. This is indicative of both historical strategic collection targeting Afghanistan as well as a further concentration of activity in line with major geopolitical events.

Afghanistan is strategically important to China for several reasons, particularly in the wake of the US withdrawal. For one, the PRC likely seeks to increase its influence within Afghanistan to prevent regional instability and extremism from spreading into the bordering Xinjiang Uyghur Autonomous Region of the PRC, as well as to other Central Asian countries. These issues raise national security concerns and a need to protect PRC interests in the region, including major Belt and Road Initiative (BRI) investments. The US withdrawal also presents the PRC with opportunities for major new BRI-linked and extractive industry projects within Afghanistan.

Analyse technique

As shown in Figure 2, the compromised Roshan server has been identified communicating with a range of adversary C2 infrastructure, particularly associated with the PlugX malware family commonly used by Chinese state-sponsored groups. The section below contains a breakdown of the intrusion activity by group.

RedFoxtrot

En juin 2021, Insikt Group a fait état d'activités de RedFoxtrot ciblant des organisations gouvernementales, de défense et de télécommunications en Asie du Sud et en Asie centrale depuis au moins 2014. Nous avons établi un lien entre ce groupe d'activité et l'unité 69010 du département des systèmes de réseau (NSD) de la Force de soutien stratégique de l'Armée populaire de libération (PLASSF) située à Ürümqi, dans le Xinjiang, grâce au laxisme de la sécurité opérationnelle employée par un opérateur RedFoxtrot suspecté d'être à l'origine de cette activité. Le groupe utilise une série de variantes de logiciels malveillants sur mesure généralement associées à des groupes chinois, telles que IceFog, QUICKHEAL et RoyalRoad, ainsi que d'autres outils plus largement disponibles et souvent utilisés par des acteurs malveillants liés à la Chine, tels que Poison Ivy, PlugX et PCShare.
Dans les analyses de suivi réalisées en juillet et septembre 2021, nous avons constaté que RedFoxtrot abandonnait une grande partie de son infrastructure opérationnelle à la suite de la divulgation publique et nous avons signalé plusieurs nouvelles victimes dans les secteurs de l'administration et de la défense en Inde et au Pakistan. Les activités de RedFoxtrot ciblant Roshan ont cessé avant notre enquête publique reporting sur le groupe en juin 2021 et étaient liées à l'infrastructure de commandement et de contrôle PlugX suivante :

Table 1: Indicateurs PlugX RedFoxtrot de Roshan Intrusion

Calypso APT

In March 2021, Insikt Group reported on the Calypso APT conducting a mass exploitation campaign targeting Microsoft Exchange servers using the ProxyLogon exploit chain (CVE-2021-26855, CVE-2021-27065), alongside several other Chinese state-sponsored groups. One of the PlugX C2 domains highlighted in this activity, www.membrig[.]com, remains active and is linked to ongoing intrusion activity targeting Roshan.

Table 2: Indicateurs APT Calypso d'intrusion Roshan

Unknown Winnti Cluster

The Winnti backdoor has historically been used by several Chinese state-sponsored groups, including APT41/Barium, APT17, and most recently a group tracked by Insikt Group as TAG-22. The Winnti backdoor is commonly associated with activity linked to multiple groups of loosely connected private contractors operating on behalf of China’s Ministry of State Security (MSS). In September 2020, the US Department of Justice (DoJ) charged 5 Chinese nationals linked to APT41, which had access to Winnti malware, with conducting widespread intrusion operations targeting over 100 victims globally.

In relation to the Roshan targeting, we identified a high level of data exfiltration activity from the targeted Roshan server and the Winnti C2 45.76.144[.]44, from at least August 17 to September 12, 2021. We have been unable to link this Winnti C2 infrastructure with a known group, but it is very likely separate from the RedFoxtrot and Calypso APT activity highlighted above.

Unknown PlugX Cluster

Finally, the same Roshan mail server was also identified communicating with an additional PlugX C2 server from April to August 2021. This PlugX C2, 45.86.162[.]135, is linked to the Australia-based PS hosting reseller Crowncloud.

Outlook

Several Chinese state-sponsored groups remain highly active across Central Asia, often operating in an uncoordinated manner, likely due to differing tasking and chains of command. Like other geopolitical flashpoints such as India and the South China Sea, Afghanistan is likely to remain a prime target for Chinese government intelligence collection following the US’s withdrawal and the Taliban’s takeover. Always a prime target of cyberespionage activity, telecommunications organizations are at particularly high risk within these regions due to the intelligence value of the data they hold. Additionally, the Chinese government considers it a strategic priority to influence the telecommunications sectors of countries participating in the Belt and Road Initiative, giving it increasing leverage in the debate over global internet governance.