Israeli cybersecurity firm Check Point reported Thursday that a “Chinese-speaking hacker group” is conducting an “ongoing cyber espionage operation” against the government of Afghanistan.
The attackers sent phony emails, ostensibly from the office of Afghan President Ashraf Ghani, to the Afghan National Security Council (NSC) in April. The emails reportedly strongly pressured victims to open and review attached documents that contained malware.
When victims opened the documents, according to the report, their computers became infected with a virus that gave hackers a back door into their system. Information stolen from NSC officials through these back doors was stashed in folders on the commercial cloud storage platform Dropbox.
Since Dropbox is popular and many computers communicate with its servers on a regular basis, the activity of the hackers reportedly did not look abnormal to information security systems.
Check Point’s research division said it has detected “malicious actions taken by threat actors, including access of victims’ desktop files, deployment of scanner tools, and execution of Windows built-in networking utility tools.”
The group Check Point suspects is behind the attack is known as “IndigoZebra.” The group’s operations against the governments of Afghanistan, Kyrgyzstan, and Uzbekistan stretch back to 2014. Check Point analysts said other countries could also face attack by IndigoZebra.
“What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception. This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of sovereignty,” Check Point commented.
IndigoZebra was first identified by another cybersecurity firm, Kaspersky Labs, in 2017. The group’s targets were mostly “former Soviet republics” at the time, including the espionage campaigns stretching back to 2014 that were mentioned by Check Point.
Kaspersky analysts described IndigoZebra as a “Chinese-speaking actor” with a fondness for malware attacks similar to the one perpetrated against the Afghan NSC. The analysts were not certain if IndigoZebra was a distinct group or one of several espionage campaigns conducted by a larger group.
The backdoor malware used in the NSC attack, dubbed “BoxCaon,” appears to be a version of the xCaon software Kaspersky warned IndigoZebra was circulating in 2014.
A spokesman for Afghanistan’s NSC told Voice of America News (VOA) on Thursday he was not aware of hackers breaching any computer systems. However, Check Point investigators said they found a copy of the virus-laced email posted on a “website that detects malware in email communications,” evidently posted there by someone from the Afghan NSC.
“This is the first major Chinese cyberespionage operation in Afghanistan to come to light, coming just weeks after Check Point reported on an earlier one targeting Uyghurs in China’s northwestern Xinjiang region as well as Pakistan. The back-to-back attacks suggest a ramping up of Chinese cyberespionage operations along the country’s western border,” VOA observed.
Pennsylvania State University professor Nicholas Eftimiades, a former U.S. intelligence officer, told VOA the Chinese government could be using hackers as part of its “frontier foreign policy,” which essentially amounts to China fretting that instability in places like Afghanistan could filter back to China’s Muslim population.
IndigoZebra’s activities over the years have been concentrated along the Chinese “frontier,” with Afghanistan becoming a region of particular concern as American and NATO forces withdraw. Interestingly, IndigoZebra tends to strike very quickly after a nation on China’s “frontier” holds talks with the Russian government. The Russians hosted a conference between the Afghan government and the Taliban in March.