Chinese hackers attack Afghan National Security Council network, cybersecurity firm says

Chinese hackers recently launched a cyberattack to break into the computer network of Afghanistan’s National Security Council as part of an ongoing cyberespionage campaign against the Central Asian nation, researchers at cybersecurity firm Check Point reported.

The Chinese-speaking hacker group suspected of launching the cyberattack is known in cybersecurity circles as “IndigoZebra,” the researchers wrote in a report released Thursday (July 1). The cyberattack is the latest in a campaign that began back in 2014 to target political entities in neighboring Uzbekistan and Kyrgyzstan. Researchers say other countries may have been targeted as well.

The operation against Afghanistan began in early April when hackers infiltrated the network of the country’s National Security Council by posing as a senior official in the Afghan president’s office. Before doing so, they obtained the senior official’s email account and used it to send a “spoof email” to NSC officials in which they urged them to act on an upcoming press conference.

“I called your office yesterday, but no one answered,” the hacker posing as the official wrote in the email. “We have received your document and have corrected it. There is an error on the third line of the second page. Please confirm if this error exists.”

Taking action on the email would have activated the malware, and it is unclear if anyone on the committee was the victim of the attack. A spokesman for the committee told the Voice of America that he was not aware of the attempted cyber intrusion.

Lotem Finkelstein, director of threat intelligence for Tel Aviv, Israel-based Check Point Software Technologies, said hackers are targeting “government-to-government” spoofed e-mails – as happened in Afghanistan – in an extremely sophisticated way. The cyberattack is highly unusual.

“This tactic is so vicious that it can effectively get anyone to do anything for you; in this attack, this malicious activity involves the highest levels of ruling power.”

This is the first major Chinese cyber espionage operation to come to light in Afghanistan, just weeks after Check Point reported on an earlier Chinese cyber attack operation targeting Uighurs in China’s northwestern Xinjiang region and Pakistan. researchers at Check Point said these cyber attacks, which occurred back-to-back, indicate that China has stepped up its cyber espionage activities along its western border. China shares a small section of its border with Afghanistan.

Nicholas Eftimiades, a former senior U.S. Defense Department intelligence official, said Chinese intelligence agencies have long been active in Afghanistan and that their main goal is “what we sometimes call frontline foreign policy.

“It’s (to) control any externally influenced activity that’s going on in China,” Eftimiades said. “Trying to contain that in the border areas around China is the primary goal of the Chinese Communist Party.”

The cyberattack comes as China prepares for the withdrawal of U.S. troops from Afghanistan later this summer. China has long been concerned about instability in Afghanistan and the resulting ripple effects on its Muslim population in Xinjiang. Eftimiades, now a professor of homeland security at Penn State, said the Chinese government is primarily concerned about U.S. plans and intentions in Afghanistan.

“What will happen after the withdrawal? How will they respond to post-withdrawal situations so that those situations don’t negatively affect their population?” Eftimiades said.

Little is known about the IndigoZebra hacking group and its ties to the Chinese government. Dennis Legazzo, a senior security researcher at Kaspersky in Moscow, said the group’s latest operation “fits perfectly into their previous range of interests.”

In a 2017 research report, Kaspersky said IndigoZebra was targeting various former Soviet Union member states with “a large amount of malware. A separate Kaspersky report said Chinese cyber activity in the region indicates “a strong interest in policies and negotiations involving Russia with other countries.”

“As Russia and another country were to hold talks, they quickly became targets of cyber attacks; as of now, we have observed three separate cyber attacks related to the talks, with IndigoZebra being the first (to launch an attack),” the Kaspersky researchers wrote.

Cybersecurity experts say China is conducting large-scale cyber espionage around the world. In its latest threat assessment, presented to Congress in April, the U.S. intelligence community wrote that China “poses a prolific and effective cyber espionage threat, possesses robust cyber attack capabilities, and poses a growing threat of influence.”

The Chinese Embassy in Washington did not return a reporter’s request for comment.

Check Point researchers said they investigated the cyberattack in Afghanistan after previously stumbling upon the suspicious email in question on a website that detects malware in emails. According to Alexandra Goffman, lead investigator for Check Point’s team investigating the cyberattack, the email was apparently posted on the site by one of the recipients of the Afghan National Security Council.