Chinese cyberespionage groups have been targeting major telecoms providers across Southeast Asia, according to a new report, following accusations from the US and other countries that China hacked into Microsoft Exchange email servers.
Boston-based security firm Cybereason said in a report on Tuesday that it had identified three clusters of intrusions into the region’s telecoms industry since at least 2017, with links to threat actors that were “suspected to be operating on behalf of Chinese state interests”.
The firm said it had proactively sought out threat actors after the US, Britain, European Union and others blamed China for sponsoring the massive Microsoft hack discovered earlier this year that compromised tens of thousands of computers and networks.
The latest hacking allegations come after the US in mid-July vowed to work with its allies against China’s “destabilising behaviour in cyberspace”, including the exposure of internal communications in Microsoft Exchange software by Chinese-based hackers known as Hafnium.
Beijing rejected the cyberattack claims, saying Washington had “ganged up with its allies to make groundless accusations”, and called on the US and its allies to “stop cybertheft and attacks targeting China”. The foreign ministry said Beijing opposed all forms of cyberattack, and that the US accusations lacked complete evidence in linking the hacking to the Chinese government.
In its report on Tuesday, Cybereason said it had found three clusters of intrusions, the first connected to Soft Cell – a group it said was highly likely to be “operating in the interests of China”. The second involved Naikon APT, a cyberespionage group that has been linked to the People’s Liberation Army and was mainly found to have targeted countries in the Association of Southeast Asian Nations. The third cluster was a back-door in Microsoft’s Outlook Web Access with “significant code similarities” to a previous back-door operation attributed to the China-based threat actor known as Group-3390.
The attackers aimed to “gain and maintain continuous access to telecommunication providers and to facilitate cyberespionage by collecting sensitive information”, which compromised call record data and network components such as web servers and Microsoft Exchange servers, the report said.
Analysts from Cybereason said it was likely the hacking attacks were meant to facilitate espionage efforts against specific targets, such as “corporations, political figures, government officials, law enforcement agencies, political activists and dissident factions of interest to the Chinese government”.
Overlaps in the tactics, techniques and procedures (TTPs) used by the hackers indicated a likely a connection between the three actors, suggesting that the groups could have been directed by a centralised coordinating body aligned with Chinese state interests, the report said.
Cyber activity has become yet another space for tensions in the broadening rivalry between Beijing and Washington, as the powers clash over trade, technology, human rights, and competing strategic influence around the world. The White House said it was escalating its response to Chinese cyberattacks, including with transatlantic military alliance Nato, which also condemned China over the Microsoft hacks.
The US Justice Department in July also charged four Chinese citizens with establishing a company that allegedly worked with the Hainan State Security Department to hack into computer systems of companies, universities and government entities in the US and other countries from 2011 to 2018.