South China Morning Post
Advertisement
Advertisement
Afghanistan: All stories
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Chinese-speaking hackers posed as employees of the office of Afghan President Ashraf Ghani to gain access to computers at the country’s top security agency. Photo: AP
TechTech Trends

Chinese hackers impersonated Afghanistan’s presidential office to steal documents using Dropbox, research group says

  • Check Point Research said it uncovered malware emailed by Chinese-speaking hacking group IndigoZebra to Afghanistan’s top security agency
  • China has been implicated in multiple high-profile cyberattacks this year amid a global rise in cyber threats, but the country’s government denies involvement
Afghanistan: All stories
Masha Borak
Masha Borak
Why you can trust SCMP

A group of Chinese-speaking hackers is targeting Afghanistan’s top national security agency by impersonating the Office of the President of Afghanistan, according to the cyber threat analysis firm Check Point Research (CPR).

The ploy to infiltrate the Afghan National Security Council was uncovered in April after staff received a suspicious email that appeared to come from a government address but contained a malicious attachment, the US-Israeli research firm said in a report on Thursday. The attached malware, once opened, used Dropbox to mask the theft of sensitive documents.

“The cyberattack on the Afghan government is the latest in a series of attacks that have targeted Central Asia,” said CPR spokesman Ekram Ahmed. “The group is also fearless in the sense that they have no issues in targeting the highest levels of government.”

The attack is part of an operation going back to at least 2014 that has also targeted Kyrgyzstan and Uzbekistan, according to CPR, which identified the hacking group as IndigoZebra. Russian cybersecurity company Kaspersky put the group on a 2017 list of possible culprits targeting former Soviet republics. They are presumed to be based in China, Ahmed said.

Activity from the Chinese-speaking hacker group IndigoZebra was discovered after the Afghanistan National Security Council received a suspicious email. Photo: Check Point Research

CPR first detected the attack using telemetry data collected while crawling the internet, according to Ahmed. It was carried out using a Windows executable file stored in a password-protected RAR archive file named “NSC Press conference”. Once opened, the executable would install a backdoor and start siphoning off files, focusing on those stored on the desktop.

Additional malicious files and commands could be hidden from victims by being placed in the Dropbox folder, according to the report.

The findings are the latest to implicate China in recent high-profile hacking incidents, which have also seen fingers pointed at Russia, Iran and North Korea.

Earlier this year, US cybersecurity firm Recorded Future said Chinese hackers had infiltrated India’s power grid ahead of an outage in Mumbai last October. The Chinese Foreign Ministry denied allegations that it had caused the outage, but India has since sought to strengthen its cybersecurity.
In April, Japan also accused Chinese hackers linked to the People’s Liberation Army of attacks on nearly 200 research institutions and firms. The same month, US cybersecurity firm FireEye said that suspected state-backed Chinese hackers have spent months spying on dozens of high-value targets in the government, defence and finance sectors in the US and Europe.

01:40

Chinese PLA officers charged with stealing personal data of Americans in Equifax credit agency hack

Chinese PLA officers charged with stealing personal data of Americans in Equifax credit agency hack

In May, members of the G7 issued a joint statement calling on China and other countries to bring their cyber activities in line with international norms, highlighting the issue of IP theft. Russia was also named as “threatening … cyberspace security”.

The US government has accused Russia of carrying out an extensive cyberattack uncovered in late 2020 that exploited Microsoft and SolarWinds software, sending malware to 18,000 customers. The Russian government denies involvement.
China, too, has pushed back on allegations of malicious cyber activity, saying it is one of the major victims of cyberattacks. In June, Chinese foreign ministry spokesman Wang Wenbin called the US the “world’s top hacking empire” after Danish media reported that the US National Security Agency had used the country’s underwater cables to spy on top European officials.
Despite China’s rising strength in cyberspace, the US remains the world’s pre-eminent cyber power, according to findings by the International Institute for Strategic Studies this week. The US is expected to retain that position until at least 2030, according to the report.
2