Chinese Groups Behind Attack on Afghan Telecom, ‘Roshan’.
Nowadays, several organizations use Actionable Intelligence to improve upon investigations that lead to perpetrators of crime. In one such investigation conducted by Insikt Intelligence, four Chinese threat activity groups were identified. Their intrusion into a mail server was targeted at Roshan Group, one of the leading telecommunications providers of Afghanistan.
Telecommunication companies are usually prime targets of cyber attacks and espionage activity. The intelligence value of the data they hold is particularly attractive for threat groups. With the emerging geo-political scene that has seen the withdrawal of US and NATO forces from Afghanistan and ascension of Taliban in power corridors, the region will remain a subject of interest for Chinese governments looking for a more influential role on the political and economic stage.
Insikt Intelligence conducts routine exercises and monitors suspicious activity originating from this region. The watchdog has detected several active groups operating and targeting organizations in Central Asian countries. These groups appear to operate independently and without any coordinated efforts—perhaps because they might have been taking orders from different and disjoint command centers.
The efforts of Insikt has helped identify groups RedFoxtrot and Calypso APT, as well as 2 additional groups using the Winnti and PlugX backdoors. It was observed that data exfiltration activity for Calypso APT and the unknown threat actor using Winnti rose in August and continued well into September 2021. This activity coincided with withdrawal of US forces from Afghanistan. This chain of events suggests that the groups actively involved in data theft or data manipulation are state-sponsored. It is an obvious fact that China attaches great strategic significance to this region because of Belt and Road Initiative and other mega projects that propose to transform the regional landscape.
By tracking and monitoring known Chinese threat actors, the team at Insikt Intelligence was able to observe multiple intrusions that targeted Roshan. The earliest activity was traced back to July 2020 that continued for over a year and it was linked to the group known in the cyber security world as Calypso APT. Insikt first reported the existence of suspicious activity in August 2021.
The same server of Roshan was again found communicating with another Chinese group recognized as RedFoxtrot. This group’s activity was not confined to Roshan alone. After infiltrating the servers of Roshan, they went on to target another telecommunication company of Afghanistan.
Two other groups are also seen to be active. They use Winnti and PlugX malware but their identity is yet to be ascertained.
The RedFoxtrot group is particularly versatile and active. Its participation in launching malware in South Asian countries dates as far back as 2014 although it was reported as late as 2021. The group employs bespoke malware variants commonly linked to Chinese groups. IceFog, QuickHeal, and RoyalRoad, as well as other more widely available tools, including Poison Ivy, PlugX, and PCShare are favoured by this group.
Further investigations into the group’s activity revealed that after news spread, they abandoned a large amount of their infrastructure focused on Roshan and instead started targeting newer victims across government and defense sectors in India and Pakistan. RedFoxtrot stopped their operations against Roshan soon after the disclosure and immediately linked their activity to PlugX command and control infrastructure.
Likewise, the Calypso APT has previously launched a vicious campaign against Microsoft Exchange servers using the ProxyLogon. Several other Chinese groups were working alongside on this campaign of exploits. Calypso is now actively targeting Roshan of Afghanistan.
With other unidentified groups working alongside, the onslaught on telecommunication organizations, especially those with large clientele, will likely stay around for a long time. The strategic interests of nations and powers will further complicate matters.