Chinese hackers this year targeted military and civilian organisations in several Southeast Asian nations, particularly those with similar territorial claims or strategic infrastructure projects, suggesting the involvement of the state, a US-based cybersecurity firm said in new research released late Wednesday.
Malaysia, Indonesia and Vietnam were the top three targeted countries over the past nine months, said the Insikt Group, the threat research arm of Massachusetts-based Recorded Future. The hackers also took aim at several other countries, including the Philippines, Laos, Cambodia and Thailand, it said.
“The identified intrusion campaigns almost certainly support key strategic aims of the Chinese government, such as gathering intelligence on countries engaged in South China Sea territorial disputes or related to projects and countries strategically important to the Belt and Road Initiative (BRI),” Insikt Group said in its report.
The hackers focused on the offices of the Thai and Malaysian prime ministers, the foreign affairs ministries of Indonesia and Malaysia, as well as their militaries, it said. Insikt said it identified over 400 unique servers in Southeast Asia communicating with infected networks that were likely linked to Chinese state-sponsored actors, adding that it didn’t have any insight into the specific data that might have been obtained. The group attributed much of the activity to a Chinese state-sponsored entity it has labelled Threat Activity Group 16.
“We also identified evidence suggesting that TAG-16 shares custom capabilities with the People’s Liberation Army (PLA)-linked activity group RedFoxtrot,” it said. Insikt said it notified all the countries involved in October.
China brushed aside Insikt’s findings.
“We oppose the spread of disinformation for political purposes to mislead the international community and sow discord between regional countries,” Chinese Foreign Ministry spokesman Wang Wenbin said Thursday at a regular press briefing in Beijing.
China has previously dismissed reporting by Recorded Future, including findings in September this year that Chinese state-sponsored hackers were believed to have infiltrated and likely stolen data from an Indian government agency responsible for a national identification base.
In May, Insikt said it identified suspected Chinese state-sponsored network intrusion activity targeting “telecommunications, government and state-owned organisations in Laos”. Both the Lao National Committee for Special Economic Zones and the National Enterprise Database were identified as targets, it said. Laos this month inaugurated a nearly $6 billion Chinese-built railway linking the country with southern China.
The cybersecurity group said the Cambodian foreign ministry along with the country’s only international and commercial deep seaport, Sihanoukville Autonomous Port, were targeted in September.
“The scale and scope of China’s cyber-espionage program remains unrivalled, exemplified by the large number of distinct actors with operational taskings within specific geographic regions,” Insikt group wrote. Those actors, it said, included “many PLA Strategic Support Force and Ministry of State Security (MSS)-linked threat activity groups”.
Vietnam’s Foreign Affairs spokeswoman Le Thi Thu Hang didn’t address the report’s specifics, but said in an online briefing Thursday that the government “always pays close attention to this and has issued various guidelines, policies and measures to ensure cybersecurity and information safety”. She added that the country “stands ready to cooperate with the international community on this matter.”
Philippine Defense Secretary Delfin Lorenzana told Bloomberg he didn’t know of any recent cyberattacks on the country’s navy, and would task intelligence officials to look into the matter. Other countries didn’t immediately react to the report.