As part of a cyberespionage operation targeting Central Asian countries, Chinese hackers recently sought to breach the computer networks of Afghanistan’s National Security Council, researchers at cybersecurity firm Check Point reported.
The alleged attack by the Chinese-speaking hacking group known to cybersecurity experts as IndigoZebra is the latest in an operation that goes back as far as 2014 and has targeted political entities in neighboring Uzbekistan and Kyrgyzstan, the researchers wrote in a report released Thursday. Other countries might also have been targeted, the researchers said.
The Afghan operation came in early April, when hackers impersonated a senior official in the office of the president of Afghanistan to infiltrate the country’s National Security Council. They did this after gaining access to the official’s email account and using it to send national security officials a “dupe email” urging action about an upcoming press conference.
“Yesterday, I called your office and no one answered it,” the hackers posing as the official wrote in the email. “We have received your file and modified it. There is an error in the third line of the second page. Please confirm whether the error exists.”
Acting on the email would have activated malware, and it remains unclear if anyone on the council fell victim to the attack. A spokesman for the council told VOA he was not aware of the attempted breach.
Lotem Finkelstein, head of threat intelligence at Check Point Software Technologies in Tel Aviv, Israel, said it was highly unusual for hackers to use “ministry-to-ministry” deception, as was the case in Afghanistan, to carry out a cyberattack.
“This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of sovereignty,” Finkelstein said.
This is the first major Chinese cyberespionage operation in Afghanistan to come to light, coming just weeks after Check Point reported on an earlier one targeting Uyghurs in China’s northwestern Xinjiang region as well as Pakistan. The back-to-back attacks suggest a ramping up of Chinese cyberespionage operations along the country’s western border, according to Check Point researchers. China and Afghanistan share a small border.
Nicholas Eftimiades, a former senior intelligence officer with the U.S. Department of Defense, said that Chinese intelligence has long been active in Afghanistan and its primary objective is “what we call sometimes frontier foreign policy.”
“It is [about] controlling any of the activities that happen in China that are influenced from the outside,” Eftimiades said. “Trying to control this in the border regions around China is a primary objective of the Chinese Communist Party.”
Afghan exit by US
The operation comes as China, long wary of instability in Afghanistan and its ripple effect on its Muslim population in Xinjiang, braces for the completion of the withdrawal of U.S. troops from Afghanistan later this summer. The Chinese government is concerned primarily about U.S. plans and intentions in Afghanistan, according to Eftimiades, who is now a professor of homeland security at Pennsylvania State University.
“What happens after the withdrawal? How do they manage that so that it doesn’t negatively influence their population?” Eftimiades said.
Little is known about the IndigoZebra hacking group or its ties to the Chinese government. Denis Legezo, a Moscow-based senior security researcher with Kaspersky, a computer security products company, said the group’s latest operation was “completely in line with the previous scope of their interest.”
In a 2017 research report, Kaspersky said IndigoZebra was targeting former Soviet republics with “a wide swath of malware.” In another report, Kaspersky wrote that Chinese cyber activities in the region showed “China is very interested in policies and negotiations involving Russia with other countries.”
“To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first [to attack],” Kaspersky researchers wrote.
China conducts large-scale cyberespionage operations around the world, cybersecurity experts say. In its latest threat assessment to Congress, the U.S. intelligence community wrote in April that China “presents a prolific and effective cyberespionage threat, possesses substantial cyber-attack capabilities, and presents a growing influence threat.”
The Chinese Embassy in Washington did not respond to a request for comment.
Check Point researchers said they investigated the cyberattack in Afghanistan after stumbling upon a suspicious email on a website that detects malware in email communications. The email had been apparently posted by one of its recipients on the Afghan National Security Council, according to Alexandra Gofman, the lead investigator on the Check Point team that probed the operation.
Khalid Mafton of VOA’s Afghan Service contributed to this report.