Chinese Hackers Attacked Afghan Council Network, Cybersecurity Firm Says
July 2, 2021
As part of a cyberespionage operation targeting Central Asian countries,
Chinese hackers recently sought to breach the computer networks of
Afghanistan's National Security Council, researchers at cybersecurity
firm Check Point reported.
The alleged attack by the Chinese-speaking hacking group known to
cybersecurity experts as IndigoZebra is the latest in an operation that
goes back as far as 2014 and has targeted political entities in
neighboring Uzbekistan and Kyrgyzstan, the researchers wrote in a report
released Thursday. Other countries might also have been targeted, the
The Afghan operation came in early April, when hackers impersonated a
senior official in the office of the president of Afghanistan to
infiltrate the country's National Security Council. They did this after
gaining access to the official's email account and using it to send
national security officials a "dupe email" urging action about an
upcoming press conference.
"Yesterday, I called your office and no one answered it," the hackers
posing as the official wrote in the email. "We have received your file
and modified it. There is an error in the third line of the second page.
Please confirm whether the error exists."
Acting on the email would have activated malware, and it remains unclear
if anyone on the council fell victim to the attack. A spokesman for the
council told VOA he was not aware of the attempted breach.
Lotem Finkelstein, head of threat intelligence at Check Point Software
Technologies in Tel Aviv, Israel, said it was highly unusual for hackers
to use "ministry-to-ministry" deception, as was the case in Afghanistan,
to carry out a cyberattack.
"This tactic is vicious and effective in making anyone do anything for
you; and in this case, the malicious activity was seen at the highest
levels of sovereignty," Finkelstein said.
This is the first major Chinese cyberespionage operation in Afghanistan
to come to light, coming just weeks after Check Point reported on an
earlier one targeting Uyghurs in China's northwestern Xinjiang region as
well as Pakistan. The back-to-back attacks suggest a ramping up of
Chinese cyberespionage operations along the country's western border,
according to Check Point researchers. China and Afghanistan share a
Nicholas Eftimiades, a former senior intelligence officer with the U.S.
Department of Defense, said that Chinese intelligence has long been
active in Afghanistan and its primary objective is "what we call
sometimes frontier foreign policy."
"It is [about] controlling any of the activities that happen in China
that are influenced from the outside," Eftimiades said. "Trying to
control this in the border regions around China is a primary objective
of the Chinese Communist Party."
Afghan exit by US
The operation comes as China, long wary of instability in Afghanistan
and its ripple effect on its Muslim population in Xinjiang, braces for
the completion of the withdrawal of U.S. troops from Afghanistan later
this summer. The Chinese government is concerned primarily about U.S.
plans and intentions in Afghanistan, according to Eftimiades, who is now
a professor of homeland security at Pennsylvania State University.
"What happens after the withdrawal? How do they manage that so that it
doesn't negatively influence their population?" Eftimiades said.
Little is known about the IndigoZebra hacking group or its ties to the
Chinese government. Denis Legezo, a Moscow-based senior security
researcher with Kaspersky, a computer security products company, said
the group's latest operation was "completely in line with the previous
scope of their interest."
In a 2017 research report, Kaspersky said IndigoZebra was targeting
former Soviet republics with "a wide swath of malware." In another
report, Kaspersky wrote that Chinese cyber activities in the region
showed "China is very interested in policies and negotiations involving
Russia with other countries."
date, we have observed three separate incidents where Russia and another
country hold talks and are targeted shortly thereafter, IndigoZebra
being the first [to attack]," Kaspersky researchers wrote.
China conducts large-scale cyberespionage operations around the world,
cybersecurity experts say. In its latest threat assessment to Congress,
the U.S. intelligence community wrote in April that China "presents a
prolific and effective cyberespionage threat, possesses substantial
cyber-attack capabilities, and presents a growing influence threat."
The Chinese Embassy in Washington did not respond to a request for
Check Point researchers said they investigated the cyberattack in
Afghanistan after stumbling upon a suspicious email on a website that
detects malware in email communications. The email had been apparently
posted by one of its recipients on the Afghan National Security Council,
according to Alexandra Gofman, the lead investigator on the Check Point
team that probed the operation.