Chinese-speaking hackers violated the Afghan government to infiltrate the country’s national security leadership in a targeted espionage campaign, according to cybersecurity firm Check Point.
The hacking campaign began in 2014, according to the company, which is headquartered in California and Israel. The details of the campaign, revealed Thursday, come as Chinese cyber espionage and influence operations are gaining increasing attention around the world, particularly within the U.S. For example, the Biden administration has said it is being preparing to formally identify those responsible for the Microsoft Exchange hack. servers that the company claims were made by a state-sponsored group operating in China.
Check Point said its investigation team does not know whether the Chinese-speaking hacker group “IndigoZebra” is run or sponsored by the Chinese government. According to the company, the hackers impersonated the Office of the President of Afghanistan to infiltrate the Afghanistan National Security Council and used the file storage service Dropbox to conceal their activity.
An Afghan National Security Council official opened an attachment about a press conference that allegedly came from the president’s office, but which investigators said created a back door for hackers to steal information. The backdoor communicated with a Dropbox account controlled by an attacker, and the hackers took advantage of Dropbox as their command and control center.
“What is remarkable here is how the threat actors used the tactic of deception from ministry to ministry. This tactic is cruel and effective in making anyone do anything for you; and in this case, malicious activity was observed at the highest levels of sovereignty, ”Lotem Finkelstein, Check Point’s head of threat intelligence, said in a statement. “Additionally, it is noteworthy how threat actors use Dropbox to mask themselves from detection, a technique that I think we should all be aware of and that we all should be aware of.”
Finkelstein told The Washington Times that his investigators were alerted to the spy campaign through the discovery of files and emails uploaded online.
Company spokesman Ekram Ahmed said investigators decided not to notify the Afghan government and noted that it is not a Check Point customer. Ahmed said the 200-employee investigative team regularly interacts with the FBI and Europol, the European Union’s law enforcement agency, but did not alert those agencies either.
Check Point, which reports having more than 5,400 employees worldwide and more than $ 2 billion in annual revenue last year, released a report and notified the press.
Neither the Afghan Embassy in Washington nor Dropbox responded to requests for comment. Check Point has said that it does not know how many nations beyond Afghanistan were targeted by hackers from IndigoZebra, but believes that Kyrgyzstan and Uzbekistan were also victims.
“This campaign is not limited to Afghanistan, Kyrgyzstan and Uzbekistan; these are the ones we were sure to associate with the IndigoZebra casualty list, “Finkelstein said in a statement to The Times. “From the analysis of their offensive infrastructure, it is also possible that they had other objectives in previous [USSR countries] and even broader than that. ”
Other cyber espionage efforts related to China are more directly focused on the United States. In March, Microsoft identified Hafnium as the China-based state-sponsored cyber attackers responsible for hacking its Exchange servers. According to Microsoft, hackers gained access to email accounts and the ability to install malware to ensure longer-term access to their targets’ digital environments.
The material the Chinese hackers were looking for included information from infectious disease researchers, just as the coronavirus pandemic was taking off around the world, law firms, educational institutions, think tanks and non-governmental organizations, Microsoft said.
The Biden administration is preparing to formally blame the Microsoft Exchange server hack and is preparing further action, according to Anne Neuberger, deputy national security adviser for cyber and emerging technology.
“I think you saw National Security Advisor Jake Sullivan say that we will attribute that activity and, along with that, of course, you know, determine what should be done to follow up on that,” Neuberger said in a Silverado Policy. Accelerator event on Tuesday. “And I think you’ll see more of that in the next few weeks.”
The Biden administration has not explained how it plans to respond to cyber espionage related to China. But in SolarWinds’ attack on computer network management software that compromised nine federal agencies, the administration formally blamed Russia’s Foreign Intelligence Service (SVR) and imposed sanctions on Russia.