Chinese Espionage Activity Tracks Economic Development Efforts

August 20, 2018 • Amanda McKeon

Researchers from Recorded Future’s Insikt Group have been tracking new malware targeting the Tibetan community, continuing an ongoing effort by the Chinese state to use cyberespionage to keep tabs on perceived domestic threats. They’ve uncovered a sophisticated new backdoor with some peculiar characteristics, and also concluded that many of these activities are being originated from servers located at a major Chinese research university.

Winnona DeSombre and Sanil Chohan, threat intelligence researchers at Recorded Future, are co-authors of the report “Chinese Cyberespionage Originating From Tsinghua University Infrastructure,” along with their colleague Justin Grosfelt. Winnona and Sanil are our guests today, and they’ll take us through what they’ve learned.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 70 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Researchers from Recorded Future’s Insikt Group have been tracking new malware targeting the Tibetan community, continuing an ongoing effort by the Chinese state to use cyberespionage to keep tabs on perceived domestic threats. They’ve uncovered a sophisticated new backdoor with some peculiar characteristics, and also concluded that many of these activities are being originated from servers located at a major Chinese research university.

Winnona DeSombre and Sanil Chohan are threat intelligence researchers at Recorded Future, and are co-authors of the report “Chinese Cyberespionage Originating from Tsinghua University Infrastructure,” along with their colleague, Justin Grosfelt. Winnona and Sanil are our guests today, and they’ll take us through what they’ve learned. Stay with us.

Winnona DeSombre:

We were following up on our more recent RedAlpha campaign work, where we were tracking Chinese cyberespionage against a series of Tibetan community victims, and found this really interesting Linux backdoor deployed against the same Tibetan victim group. Upon analyzing the backdoor, we actually noticed some connections to the same web server from Tsinghua University. Now, this university is effectively the MIT of China. So, it was incredibly fascinating to find a premier Chinese academic institution trying to break into a Tibetan victim group through a incredibly novel, specifically Linux-based, backdoor.

Sanil Chohan:

So, that was our entry point into this piece. We’re expecting it to be a fairly straightforward piece of analysis, looking at this new backdoor, reversing it, looking for some IOCs, and kind of fleshing out our technical analysis accordingly.

Dave Bittner:

Now, take us through some of the background here. I mean, the People’s Republic of China has quite a history when it comes to Tibet.

Winnona DeSombre:

Yes. So, the People’s Republic of China claims complete sovereignty over Tibet, and all Tibetan independence movements are considered separatist threats — sometimes even terrorist threats — by the Chinese government. So, aside from other forms of torsion, cyberespionage against Tibetan targets is pretty up there as a frequently used tool, especially when tensions are running pretty high.

Sanil Chohan:

Tibet is generally regarded as one of the Five Poisons for the Chinese state, that being, essentially, the five primary risks to the stability of the PRC government — the Chinese communist party. So, Tibet has long been regarded as an extension of the Chinese mainland. It’s treated as such by the Chinese central government, and therefore it poses quite an interesting predicament as far as foreign relations are concerned.

The Tibetans themselves, of course, think of themselves as an independent nation and are striving for independence, but that’s clamped down upon quite vigorously by the Chinese authorities. We see that being played out in a variety of different arenas on the peripheries of the Chinese mainland. The same kind of scope is played out with the Taiwanese, and also with the Falun Gong movement, which is a pseudo-religious movement that stemmed from the ‘50s and ‘60s.

Winnona DeSombre:

I think the first form of cyberespionage used against Tibet was called GhostNet in 2008, just used as a wider attempt to monitor certain targets of interest within that region.

Dave Bittner:

And Tsinghua University is at the center of your work here. Can you give us some background on what they do there and the part they play within the Chinese community?

Sanil Chohan:

Absolutely, yeah. So, the Tsinghua University, it’s an elite university renowned globally for its work in high-end technical research and engineering practices. It’s state-controlled entirely and it has extensive links to the Chinese state, somewhat obviously, right? I mean, it’s entirely funded by the state. But it does have a long history of affiliation with the People’s Liberation Army, the PLA. For example, in 2017, the PLA had partnered with another university called Xi’an Jiaotong University to create a sort of initiative program. Before that, other universities in China partnered with various elements of the Chinese state and intelligence services to conduct joint bits of research and to conduct joint operations.

So, Tsinghua was something that — again, like I said at the start of the conversation — we weren’t expecting to see that number of events probing the same device that the backdoor was found on, emanating from the same IP, which was off of Tsinghua University.

Dave Bittner:

Now, this relationship of the university working hand-in-hand with the government on these sorts of things, was this something that was known to researchers like you, or was this a surprise?

Winnona DeSombre:

I want to be clear that we’re uncertain of the actual relationship between individuals in Tsinghua conducting any sort of cyberespionage, but we do know that universities of this caliber within China have a very close relationship to the government. For example, the PLA partnered with certain universities to create cyber militia programs. Some APT17 infrastructure was connected to a professor at a different university. So, this sort of cyber cooperation between academic and government institutions in China is pretty common.

Dave Bittner:

I see. So, walk us through what you discovered here, in terms of the actual analysis of the threat.

Winnona DeSombre:

When we first found the Tsinghua University IP, we ran a couple of scans and found that it is, in all likelihood, an internet gateway from the university. A lot of the traffic that we found was scanning and targeting various institutions at incredibly interesting times in the geopolitical sphere. So, for example, the Tsinghua University IP targeted the Alaska state government during a time when Governor Walker, the governor of Alaska, was initiating a trade show with other Chinese institutions and really wanted to develop a relationship with Chinese institutions during the height of this U.S.-China trade war.

This particular trade show was dubbed “Opportunity Alaska” and it consisted of delegates from Alaskan businesses in the fishing, tourism, architecture, and investment industries. A lot of chatter occurred around the prospect of a gas pipeline between China and Alaska. During the announcement of Bill Walker getting this trade delegation together, during the trade delegation in China, and right after the delegation departed China, Recorded Future noticed multiple attempts of scanning activity at Tsinghua targeting Alaska state government institutions, as well as the Alaska Department of Natural Resources.

Sanil Chohan:

The activity emanating from the Tsinghua IP was reconnaissance and not active exploitation. We’ve had a few comments come back after the issuing of our report yesterday, kind of questioning, “Did we see any evidence of actual compromise?”

Well, no, not directly. But what we can infer from our observation of the reconnaissance is that exploitation may well have taken place, because we’ve seen the activity probing some of these networks go dark in the last two months, and it was at quite high levels prior to that.

Dave Bittner:

So, the connection here — I guess, the supposition — is that they’re trying to gather information that might be advantageous to their negotiating process, or things like that?

Winnona DeSombre:

Yes, as well as other possibilities that you can get from scanning. By scanning a target system, you can perhaps get a little bit more information about the technical services running on those machines, and even perhaps use that information to conduct more offensive operations against these targets in the future.

Dave Bittner:

So, another thing that you highlighted in the research was this thing called the Belt and Road Initiative. Can you describe to us what’s going on with that?

Winnona DeSombre:

So, the Belt and Road Initiative in China is, effectively, China’s present-day attempt to recreate the ancient Silk Road from 2,000 years ago. So, by investing in these major infrastructure projects all across the world, particularly in underdeveloped or developing countries, China hopes to transform its geopolitical influence in various regions such as Africa, the Middle East, and parts of southeast Asia.

Sanil Chohan:

So, we’re looking at an investment program that stretches from China all the way through the Caucasus region, through the Middle East, into east Africa, and also kind of touching western Europe, with a key train link being established between Beijing and a city in Germany called Duisburg, I think. This is all kind of directly invested in by the Chinese state in order to corral influence, to improve the standing of their economy, and also to create opportunities and an economic interest in many of those countries in between.

So, it’s a multi-trillion dollar program that was announced by President Xi Jinping. It’s a bit of a baby project of his, really. He’s kind of riding high in the polls as a result of pushing for this in the country. But essentially, it’s a way for the Chinese state to extend their influence beyond the immediate neighborhood in southeast Asia.

It’s proving to be quite an interesting trend to observe from a cyber threat analyst perspective, because of course, in order for Chinese to make good on their investments, they’re looking for any kind of strategic economic advantage and the kind of crummy way in which they tend to achieve that is through cyberespionage. By looking at the potential business relationships with any of those organizations and countries I mentioned in the report and also to you here, that’ll give us a unique insight into potential business relationships and transactions that are taking place between the Chinese and those countries looking to get some money from the Chinese authorities for the BRI.

Dave Bittner:

And so, in terms of the scanning that they were doing related to those efforts, how do those align?

Winnona DeSombre:

For example, Kenya was lobbying for a regional project under this particular Belt and Road Initiative. China’s already funded major, major infrastructure projects in that country — for example, a 480-kilometer railway between Mombasa and its capital, Nairobi. But once the Kenyan trade principal secretary rejected signing a China free-trade deal, we saw spikes in network reconnaissance activity after Kenyan establishments.

The same thing actually happened in Brazil. I think it was about one month after the China Communications Construction Company began construction within one of the Brazilian ports and certain areas in Mongolia when the Chinese proposed a new Eurasian land bridge.

Dave Bittner:

Now, another thing you highlighted was the probing of Daimler’s network. What was going on there?

Sanil Chohan:

Yeah, so again, we didn’t see this in our original pull of data dating back to May and early June. In fact, the Daimler paragraph was added fairly late in the day, just prior to publication, because we found the evidence of them being probed, and in a similar way to which the Alaska network and the Kenya Ports Authority was being probed in late June. So, we’re looking at, again, circa June 20 to 24, Daimler AG networks were being probed, but the four specific ports coincided with the Daimler CEO announcing that there were some profit concerns in light of the growing trade tariffs that were being levered between the Chinese and the U.S. With China being their number one market by far, it was obviously of concern to the Daimler chain of command.

It was quite timely that that announcement was made publicly by Daimler, and the next day, we then see the scanning pick up against their network.

Dave Bittner:

Yeah, and that seems to be a clear pattern here, I suppose.

Sanil Chohan:

Oh, absolutely, yeah.

Dave Bittner:

Something topical happens and they go out and start poking around.

Sanil Chohan:

Yeah, absolutely. So, I mean, the one thing that we wanted to project in the report was the varied kind of victim groups. We’re talking about a U.S. state government entity, we’re talking about a department of natural resources, an official government agency, we’re talking about telcos. We’re looking at east African investment channels for the Chinese state that relate to the Belt and Road Initiative, and also vital commercial entities that have obviously invested heavily in China over the years, that are also expressing concern in the growing trade difficulties that are arising as a result of the policies being enacted by the Chinese and U.S. governments.

So, the one thing we wanted to project here was that there was very clearly a pattern of something kicking off in the public sphere, and some cyberespionage reconnaissance taking place in and around those public statements.

Dave Bittner:

At the center of a lot of the things you’re describing here is this backdoor that you all are calling “ext4.” What’s going on with this?

Winnona DeSombre:

The “ext4” is a fascinating piece of malware for a couple of reasons, the first one being that it’s a Linux-based backdoor, which is not the usual kind of backdoor suspect. And then, the second thing is how every hour, the script runs for only 180 seconds. So, this is a backdoor that individuals would only have access to for three minutes every hour. So, knowing the exact time is important, or one can just continue sending packets at the server until something hits.

It’s fascinating because it’s so tailored and it’s done a lot, not just through the 180 seconds, but also by making sure that the backdoor acts as a background process running through a cron script that it remains fairly undetectable.

Sanil Chohan:

It’s a very sophisticated backdoor, and that goes against the grain of, generally, what we’ve found in the course of our analysis of the targeting of the Tibetan networks. Certainly, in the recent few months, “ext4,” as we call it, is a Linux backdoor. It’s specifically devised for the CentOS operating system. It was sophisticated insofar as that it was embedded within a cron job system file, which essentially runs every hour on the web server.

It’s somewhat unclear to us at the minute, with the data that we have, that the “ext4” relates directly to the Tsinghua campaigns, but we can say with authority that Tsinghua University was probing the Tibetan network like it was also probing the Alaskan networks and the Kenyan networks, and all the others that we’ve stated in the report.

Dave Bittner:

So, what kind of activity is going on here? Are they using it to exfiltrate information? Is that basically what’s happening?

Winnona DeSombre:

We have not observed any particular successful activity surrounding this “ext4.” The traffic that we did find from the Tsinghua IP was actually, interestingly enough, not the right packets. So, this “ext4” backdoor requires a specific TCP header and set of flags in order to be activated, in order to be accepted and to open up the backdoor for the incoming traffic. Interestingly enough, the Tsinghua IP only sent the wrong headers. So, that suggests that either there was some operational mistake, either this Chinese-based traffic was uncertain of the packet headers or made some mistake, or they don’t really have as much to do with each other, or they’re not as closely related as one would think.

Dave Bittner:

So, what are your conclusions here? Discovering what you did, what are the takeaways?

Sanil Chohan:

So, the key takeaway for us is this pattern of activity. The Chinese authorities are obviously very keen on maintaining an economic strategic advantage, especially when it comes to ongoing discussions for large-scale investment programs. What we hope we’ve kind of made clear in this report is that there may well be a flurry of bilateral cyber appeasement policy signs — you know, that the U.S. and Chinese governments signed an agreement two years ago, or three years ago now, which kind of relaxed the concerns around the case of cyberespionage on each of them.

But essentially, what we’re seeing here is a growing need and a solid requirement by the Chinese state to conduct espionage in line with strategic national interests. So, the intent is very clearly kind of borne out here. I would be very surprised to see if the scanning activity kind of just stopped at scanning and reconnaissance, if no further action was taking place. That’s the key thing here for us to pick up on, is to identify any onward exploitation in light of the TTPs that we’ve raised in this report.

Winnona DeSombre:

The biggest takeaway here is that even if you’re a business or an organization that’s attempting to be friendly with China and that is cooperating with China, you’re still opening yourself up for risks related to cyberespionage and reconnaissance. We’ve provided in the report the Yara rules and some more IOCs, but really, the big thing to take away here is the risk factor.

Obviously, having a well-thought-out incident response and communications plan is important, making sure you compartmentalize your company data so that the sensitive information is better protected than the rest, and also being aware of partner or supply chain security standards when you’re doing business with a foreign organization.

Sanil Chohan:

It’s a case of making sure that if you’re a corporate entity, if you’re a government institution that has any dealings with China, corporately or with the state, to make sure that your intrusion detection systems and your intrusion prevention systems are configured correctly to block connections from non-standard IP addresses.

We’ve highlighted the TYP in the report that we produced. The first thing I would suggest everyone do is to alert on that IP and block any connections from it. Going forward, the likelihood is that there’ll be other IP addresses, there’ll be novel techniques used by cyber threat actors to probe corporate networks. So, it’s a case of being aware of what a normal connection, a normal suite of connections would look like for your corporate network and to monitor for any anomalies based on regular patterns of behavior.

We’ve also provided a Yara rule for the “ext4” backdoor. So, if there’s any indication of that “ext4” backdoor being deployed on your network, the Yara rule — if we’re on your host-based sensors — flags up an alert. Well, that’s a link to be concerned about, and we’d be very interested in learning more about any instances of the “ext4” backdoor being deployed anywhere around the world.

On top of that, some of the basic cyber hygiene guidance, as a rule — still validating and keeping all your software and applications up to date, making sure you’re scrutinizing your email correspondence for malware, and making sure that spear phishing attempts are mitigated by stringent scrutinization of those attachment and mail services. Making sure that you’ve compartmented your data on host networks, so that if there is a compromise, the attacker has to work doubly as hard to gain access to sensitive corporate data, by making sure that that sensitive data is compartmented accordingly and protected with appropriate security measures.

Dave Bittner:

In general, when you look at this overall, how much does this align with what you’ve come to expect from Chinese nation-state actors? Does this fall into pretty much their typical trade craft?

Winnona DeSombre:

Oh, absolutely. I think that because China is really growing into a cyber powerhouse and is determined to become this global influencer, they’re going to be acting out in a more proactive and perhaps sometimes aggressive manner in cyberspace. So, when one is trying to research these Chinese actors, I don’t think that this would come as much of a surprise.

Sanil Chohan:

No matter who you speak to, in terms of a government agency or a corporation that has dealings with China, they no doubt are observing and probing the networks of the network perimeter by Chinese IPs. Now, what was very surprising, from my perspective, was that the activity was actually originating from an IP that had WHOIS registration details resolving to Tsinghua. I would have expected to see the activity being directed through a level of obfuscation, perhaps through a DPS or something like that. This was a quite a low-hanging fruit, really. If you’re in security, in corporate, you really need to be aware of a Tsinghua IP probing a network. I mean, obviously it should be raising some concerns as you kind of look at the IP tier. That is actually something that’s fairly easy to mitigate against.

Dave Bittner:

Our thanks to Winnona DeSombre and Sanil Chohan for joining us.

The research is titled, “Chinese Cyberespionage Originating From Tsinghua University Infrastructure.” You can find it on the Recorded Future website in the blog section.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...