CyberWire Daily - Cyber espionage coming from Chinese University. [Research Saturday]
Episode Date: August 25, 2018Threat intelligence firm Recorded Future recently published research describing espionage activities originating from servers at a major Chinese university, coinciding with international economic deve...lopment efforts. Winnona DeSombre and Sanil Chohan are authors of the report, Chinese Cyberespionage Originating from Tsinghua University Infrastructure, along with their colleague Justin Grosfelt. The research can be found here: https://www.recordedfuture.com/chinese-cyberespionage-operations/  Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your
security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making
apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps,
not the entire network, continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We were following up on our more recent Red Alpha campaign work where we were tracking
Chinese cyber espionage against a series of Tibetan community victims and found this really interesting Linux backdoor.
That's Winona Desombre. She's a threat intelligence researcher at Recorded Future.
She's co-author of the report Chinese Cyber Espionage Originating from Tsinghua University infrastructure, along with her colleagues
Sanal Chohan, who we'll hear from in a moment, and Justin Grossfeld.
And upon analyzing the backdoor, we actually noticed some connections to the same web server
from Tsinghua University. Now, this university is effectively the MIT of China. So it was
This university is effectively the MIT of China.
So it was incredibly fascinating to find a premier Chinese academic institution trying to break into a Tibetan victim group through an incredibly novel,
specifically Linux-based backdoor.
And so that was our kind of entry point into this piece.
That's Sanal Chohan. He's a senior threat intelligence analyst at Recorded Future. We're expecting it to be a fairly straightforward piece of analysis,
looking at this new backdoor, reversing it, looking for some IOCs and kind of fleshing
out our technical analysis accordingly. Now, take us through some of the background here.
I mean, the People's Republic of China has quite a history when it comes to Tibet.
the People's Republic of China has quite a history when it comes to Tibet?
Yes. So the People's Republic of China claims complete sovereignty over Tibet, and all Tibetan independence movements are considered separatist threats, sometimes even terrorist threats by
the Chinese government. So aside from other forms of coercion, cyber espionage against Tibetan
targets is pretty up there as a frequently used tool, especially when tensions are running pretty high.
Tibet is generally regarded as one of the five poisons for the Chinese state, that being essentially the five primary risks to the stability of the PRC government, the Chinese Communist Party. So Tibet has long been regarded as an extension of the Chinese mainland.
It's treated as such by the Chinese central government,
and therefore it poses quite an interesting predicament
as far as foreign relations are concerned.
The Tibetans themselves, of course, think of themselves as an independent nation and
are striving for independence.
But that's clamped down upon quite vigorously by the Chinese authorities.
And we see that being played out in a variety of different kind of arenas on the peripheral
of the Chinese mainland.
The same kind of scope is played out with the Taiwanese and also with the Falun Gong movement,
which is a pseudo-religious movement that stemmed from the 50s and 60s.
I think the first form of cyber espionage used against Tibet was called Ghost Net in 2008,
just used as a wire attempt to monitor certain targets of interest within that region.
And Tsinghua University is at the center of your work here. Can you give us some background on
what they do there and the part they play within the Chinese community?
Absolutely, yeah. So the Tsinghua University, it's an elite university renowned globally for
its work in high-end technical research and engineering practices.
It's state-controlled entirely, and it has extensive links to the Chinese state,
somewhat obviously, right?
I mean, it's entirely funded by the state.
But it does have a long history of affiliation with the People's Liberation Army, the PLA.
affiliation with the People's Liberation Army, the PLA.
For example, in 2017, the PLA had partnered with another university called Xi'an Jiao Tong University to create a cyber
militia program. Before that, other
universities in China have partnered with various elements of the
Chinese state intelligence services to conduct joint
bits of research and to conduct
joint operations. And so Tsinghua was something that, again, like I said at the start of the
conversation, Dave, I mean, we weren't expecting to see the number of events probing the same
device that the back door was found emanating from the same IP, which resulted Tsinghua University.
Now, this relationship of the university working hand-in-hand with the government on these
sorts of things, was this something that was known to researchers like you, or was this
a surprise?
So, I want to be clear that we're uncertain of the actual relationship between individuals in Tsinghua conducting any sort of cyber espionage,
but we do know that universities of this caliber within China have a very close relationship to
the government. For example, the PLA partnered with certain universities to create cyber militia
programs. Some APT17 infrastructure was connected
to a professor at a different university. So this sort of cyber cooperation between academic and
government institutions in China is pretty common. I see. So walk us through what you discovered here
in terms of the actual analysis of the threat. When we first found the Tsinghua University IP,
we ran a couple scans,
found that it is likely, in all likelihood,
an internet gateway from the university.
And a lot of the traffic that we found
was scanning, targeting various institutions
at incredibly interesting times in the geopolitical
sphere. So, for example, the Tsinghua University IP targeted the Alaskan state government
during a time when Governor Walker, the governor of Alaska, was initiating a trade show with other Chinese institutions and really
wanted to develop a relationship with Chinese institutions during the height of this U.S.-China
trade war. This particular trade show was dubbed Opportunity Alaska, and it consisted of delegates from Alaskan businesses in the fishing, tourism, architecture and investment industries.
And a lot of chatter occurred around the prospect of a gas pipeline between China and Alaska.
of Bill Walker getting this trade delegation together.
During the trade delegation in China and right after the delegation departed China,
Recorded Future noticed multiple attempts at scanning activity
at Tsinghua targeting Alaskan state government institutions
as well as the Alaska Department of Natural Resources.
You know, the activity emanating from the Tsinghua IP was reconnaissance and not active exploitation.
So we've had a few kind of comments come back post the issuing of our report yesterday,
kind of questioning, you know, did we see any evidence of actual compromise?
Well, no, not directly.
But what we can infer from our observation of the reconnaissance is that exploitation may well have taken place because we've seen the activity probing some of these networks go dark in the last two months.
And it was quite high levels prior to that.
So the connection here, I guess the supposition, is that they're trying to gather information that might
be advantageous to their negotiating process or things like that? Yes, as well as other
possibilities that you can get from scanning, right? So by scanning a target system, you can
perhaps get a little bit more information about the technical services running on those machines
and even perhaps use that information to conduct more offensive operations against these targets in the future.
So another thing that you highlighted in the research was this thing called the Belt and Road Initiative.
Can you describe to us what's going on with that?
the Belt and Road Initiative. Can you describe to us what's going on with that?
So the Belt and Road Initiative in China is effectively China's present day attempt to create the ancient Silk Road from 2000 years ago. So by investing in these major infrastructure
projects all across the world, particularly in underdeveloped or developing countries,
the world, particularly in underdeveloped or developing countries. China hopes to transform its geopolitical influence in various regions such as Africa, the Middle East, and parts of
Southeast Asia. So we're looking at an investment program that stretches from China all the way
through the Caucasus region, through the Middle East, into East Africa,
and also kind of touching Western Europe with a key kind of train link being established
between Beijing and a city in Germany called Duisburg, I think it is.
And this is all kind of directly invested in by the Chinese state in order to corral influence,
to improve the standing of their economy and also to
create uh opportunities and economic interests and in many of those kind of countries in between so
it's a a multi-trillion dollar um program that was announced by president xi jinping it's a bit of a
a baby project of his really uh and he's kind of riding high in the polls as a result of uh
pushing for this in-country.
But, I mean, essentially, it's a way for the Chinese state to kind of extend their influence beyond the immediate neighborhood in East Asia.
So it's proven to be quite an interesting trend to observe from a cyber threat analyst perspective,
because, of course course in order for the
chinese to make uh good on their investments uh they're looking for any kind of strategic
economic advantage and the kind of primary way in which they tend to achieve that is through
cyber espionage and so by looking at the potential targeting or potential business relationships with
any of those uh organizations and countries uh i mentioned in the report and also to you here.
I mean, that will give us a unique insight into potential business relationships and
transactions that are taking place between the Chinese and those countries looking to
get some money from the Chinese authorities for the BRI.
And so in terms of the scanning that they were doing related to those efforts, how did
those align?
For example, Kenya was lobbying for regional projects under this particular Belt and Road
Initiative. And China's already funded major, major infrastructure projects in that country.
For example, a 480 kilometer railway in Mombasa and its capital, Nairobi. But once the Kenyan trade principal secretary
rejected signing a China free trade deal,
we saw spikes in network reconnaissance activity
after Kenyan establishments.
The same thing actually happened in Brazil.
And I think it was about one month
after the China Communications Construction
Company began construction within one of the Brazilian ports and certain areas in Mongolia
when the Chinese proposed a new Eurasian land bridge. Now, another thing you highlighted was
probing of Daimler's network.
What was going on there?
Yeah, so again, I mean, we didn't see this in our original pull of data
dating back to sort of May and early June.
In fact, the Daimler paragraph was added fairly late in the day,
just prior to publication, because we found the evidence of them being probed
in a similar way to the way in which the Alaskan network
and the Kenyan ports authority was being probed in late June.
So we're looking at, again, circa 24th of June,
Daimler AG networks were being probed for port-specific ports.
And this, again, coincided when we were doing some OZN.
Pacific ports. And this, again, coincided when we were doing some OZEN, it coincided with the Daimler CEO announcing that there were some profit concerns in light of the
growing trade tariffs that were being leveraged between the Chinese and the US. And with China
being their number one market by far, it was obviously of concern to the Daimler chain
of command. And so it was quite timely that that announcement was made publicly by Daimler.
And the next day, we then see the scanning pick up against their network.
Yeah, and then it seems to be a clear pattern here, I suppose.
Oh, absolutely, yeah.
Yeah, something topical happens and they go out and start poking around.
Yeah, absolutely.
So, I mean, the one thing that we wanted to kind of project in the report was the varied kind of victim groups.
We're talking about kind of a U.S. state government entity.
We're talking about a Department of Natural Resources, an official government agency.
We're talking about kind of telcos.
talking about telcos, we're looking at East African investment channels for the Chinese state that relate to the Belt and Road Initiative, and also vital commercial entities that have
obviously invested heavily in China over the years that are also expressing concern in
the growing trade difficulties that are arising as a result of the policies being enacted
by the Chinese and U.S. governments.
And so the one thing we wanted to project here was that there was very clearly a pattern here.
There was something kicking off in the public sphere and some cyber espionage reconnaissance taking place in and around those public statements.
So at the center of a lot of the things you're describing here is this backdoor
that you all are calling XT4. What's going on with this? So the XT4 is a fascinating piece of malware
for a couple reasons. The first one being that it's a Linux-based backdoor, which is not the
usual kind of backdoor suspect. And then the second thing is how every
hour the script runs for only 180 seconds. So this is a backdoor that individuals would only
have access to for three minutes every hour. So knowing the exact time is important, or one can just continue sending packets at the
server until something hits. It's fascinating because it's so tailored, and it's done a lot,
not just through the 180 seconds, but also by making sure that the backdoor acts as a background
process running through a cron script, that it remains fairly undetectable. It's a very
sophisticated backdoor and that goes against the grain of generally what we've
found in the course of our analysis of the targeting of the Tibetan networks
certainly in the recent few months. XT4 as we call it is a Linux backdoor it's specifically devised
for the CentOS operating system
and it was sophisticated
insofar as that it was embedded
within a cron job
system file which essentially
runs every hour on the
web server
it's somewhat unclear to us at the minute
with the data that we have that the XT4
relates directly to the Tsinghua campaigns.
But we can say with authority that the Tsinghua University was probing the Tibetan network like it was also probing the Alaskan networks and the Kenyan networks and all the others that we've stated in the report.
And so what kind of activity is going on here?
Are they using it to exfiltrate information?
Is that basically what's
happening? We have not observed any particular successful activity surrounding this XT4. The
traffic that we did find from the Tsinghua IP were actually, interestingly enough,
not the right packets. So this XT4 backdoor requires a specific TCP header and set of flags in order
to be activated, in order to be accepted and to open up the backdoor for the incoming traffic.
And interestingly enough, the Tsinghua IP only sent the wrong headers. So that suggests that either there was some operational mistake,
either this Chinese-based traffic was uncertain of the packet headers or made some mistake, or
they don't really have as much to do with each other, or they're not as closely related as one
would think. So what are your conclusions here?
Discovering what you did, what are the takeaways?
So the key takeaway for us is that it's this pattern of activity.
The Chinese authorities are also obviously very keen in maintaining an economic strategic advantage,
especially when it comes to ongoing discussions
for large-scale investment programs.
So what we hope we've made clear in this report
is that there may well be a flurry
of bilateral cyber appeasement policies signed.
You know, the US-Chinese government
signed an agreement two years ago ago or three years ago now,
which kind of relaxed the concerns around the case of cyber espionage on each other.
But essentially what we're seeing here is a growing need and a solid requirement by the Chinese state
to conduct espionage in line with strategic national interests.
And so the intent is very clearly kind of borne out here. Now, I would be very surprised to see if the scanning activity had just stopped
at scanning and reconnaissance, and if no further action wasn't taking place. I mean, that's the
kind of key thing here for us to pick up on here, is to identify any onward exploitation
in light of the TTPs that we've raised in this report.
The biggest takeaway here is that even if you're a business or an organization that's
attempting to be friendly with China and that is cooperating with China, you're still opening
yourself up for risks related to cyber espionage and reconnaissance. So we've provided in the report the R rules and some more IOCs,
but really the big thing to take away here is the risk factor.
Obviously, having a well-thought-out incidence response and communications plan is important,
making sure you compartmentalize your company data so that the sensitive information is
better protected than the rest, and also being aware of partner or supply chain security
standards when you're doing business with a foreign organization.
So it's a case of making sure that if you're a corporate entity, if you're a government
institution that has any dealings with China corporately or with the state
to make sure that your intrusion detection systems
and your intrusion prevention systems are configured correctly
to block connections from non-standard IP addresses.
So we've highlighted the Qinghua IP in the report that we've produced.
The first thing I would suggest everyone to do is to kind of alert on that IP and block any connections from it.
But, you know, going forward, I mean, the likelihood is
that there'll be other IP addresses,
there'll be novel techniques used by cyber threat actors
to probe corporate networks.
So it's a case of being aware of what a normal connection,
a normal suite of connections would look like
for your corporate network and to monitor for any anomalies
based on regular patterns of behavior.
We've also provided a YARA rule for the XT pullback door.
So if there's any indication of that XT pullback door being deployed
on your network, the YARA rule, if we're on your host-based sensors,
flags up an alert, well, that's something to be concerned of,
and we'd be very interested in learning more about any instances
of the XT4 backdoor being deployed anywhere around the world.
On top of that, some of the kind of basic hygiene,
cyber hygiene guidance is a rule still valid here.
Keep all your software and applications up to date.
Make sure you're scrutinizing your email correspondence for malware and making sure
that, you know, spear phishing attempts are mitigated by stringent scrutinization of those
attachments and mail services. And, you know, in terms of kind of making sure that you've
compartmented your data on host networks so that if there is a compromise that the attacker has to work doubly as hard to gain access to sensitive corporate data by making sure that that sensitive data is compartmented accordingly and protected with appropriate security measures.
appropriate security measures. In general, I mean, when you look at this overall,
does this really, how much does this align with what you come to expect from Chinese nation state actors? Does this fall into pretty much their typical tradecraft? Oh, absolutely. I think that
because China is really growing into a cyber powerhouse and is determined to become this global influencer, they're going to be
acting out in a more proactive and perhaps sometimes aggressive manner in cyberspace.
And so when one is trying to research these Chinese actors, I don't think that this would
come as much of
a surprise.
No matter who you speak to in terms of a government agency or a corporate that has dealings with
China that they no doubt are observing probing of their networks, of the network perimeter
by Chinese IPs.
Now what was very surprising from my perspective that the activity was actually originating
from an IP that had Hu's registration details resolving to Tsinghua.
I would have expected to see the activity being kind of directed through a level of obfuscation,
perhaps through a VPS or something like that.
This was quite a low-hanging fruit, really.
I mean, if you're a security analyst at a corporate,
you really need to be aware of a Tsinghua IP probing your network.
I mean, it should be raising some concerns as you kind of look at the IP tier.
That's something that's fairly easy to kind of mitigate against.
Our thanks to Winona Desombre and Sanal Chohan from Recorded Future for joining us.
The research is titled Chinese Cyber Espionage Originating from Tsinghua University Infrastructure.
You can find it on the Recorded Future website.
Cyber threats are evolving every second and staying ahead is more than just a challenge. Thank you. to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John
Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner. Thanks for listening.