Chinese-speaking hackers breached the Afghanistan government to infiltrate the country’s national security leadership in a targeted espionage campaign, according to the cybersecurity firm Check Point.
The hacking campaign started as long ago as 2014, according to the company, which is headquartered in California and Israel. Details of the campaign, revealed Thursday, come as Chinese cyber espionage and influence operations are increasingly gaining attention around the globe, particularly inside the U.S. For example, the Biden administration has said it is preparing to formally identify those responsible for the hack of Microsoft Exchange servers that the company said was conducted by a state-sponsored group operating in China.
Check Point said its research team does not know whether the Chinese-speaking “IndigoZebra” hacking group is directed or sponsored by the Chinese government. According to the company, hackers impersonated the Office of the President of Afghanistan to infiltrate the Afghan National Security Council and used file-storage service Dropbox to hide their activity.
An Afghan National Security Council official opened an attachment about a press conference that purportedly came from the president’s office but that the researchers said instead created a backdoor for the hackers to steal information. The backdoor communicated with an attacker-controlled Dropbox account, and the hackers leveraged Dropbox as their command and control center.
“What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception. This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of sovereignty,” Lotem Finkelstein, Check Point head of threat intelligence, said in a statement. “Furthermore, it’s noteworthy how the threat actors utilize Dropbox to mask themselves from detection, a technique that I believe we should all be aware of, and that we should all watch out for.”
Mr. Finkelstein told The Washington Times that his researchers were alerted to the espionage campaign through the discovery of files and emails uploaded online.
Company spokesman Ekram Ahmed said the researchers decided not to notify the Afghan government and noted that it is not a Check Point customer. Mr. Ahmed said the 200-employee research team regularly interacts with the FBI and Europol, the European Union’s law enforcement agency, but did not alert those agencies, either.
Check Point, which reports having more than 5,400 employees around the world and more than $2 billion in annual revenue last year, instead published a report and notified the press.
Neither the Embassy of Afghanistan in Washington nor Dropbox responded to requests for comment. Check Point has said it does not know how many nations beyond Afghanistan were targeted by IndigoZebra hackers but believes Kyrgyzstan and Uzbekistan were also victims.
“This campaign is not limited to Afghanistan, Kyrgyzstan and Uzbekistan — these are the ones we were sure enough to associate with the victim list of IndigoZebra,” Mr. Finkelstein said in a statement to The Times. “From analyzing their offensive infrastructure, it is also possible they had other targets in previous [USSR countries] and even broader than that.”
Other China-related cyber espionage efforts are more squarely focused on America. In March, Microsoft identified Hafnium as the state-sponsored cyberattackers based in China responsible for the hack of its Exchange servers. According to Microsoft, the hackers obtained access to email accounts and the ability to install malware to ensure longer-term access to their targets’ digital environments.
The material those Chinese hackers sought included information from infectious disease researchers — just as the coronavirus pandemic was taking off worldwide — law firms, educational institutions, think tanks and non-governmental organizations, Microsoft said.
The Biden administration is preparing to formally place the blame for the Microsoft Exchange server hack and is readying subsequent action, according to Anne Neuberger, deputy national security adviser for cyber and emerging technology.
“I think you saw the National Security Adviser Jake Sullivan say that we will attribute that activity and along with that, you know of course, determine what needs to do as a follow-up from that,” Ms. Neuberger said at a Silverado Policy Accelerator event on Tuesday. “And I think you will be seeing further on that in the coming weeks.”
The Biden administration has not laid out how it plans to respond to China-related cyber espionage. But in the SolarWinds hack of computer network management software that compromised nine federal agencies, the administration formally blamed the Russian Foreign Intelligence Service (SVR) and imposed sanctions on Russia.