Home Security Chinese spying taking place from elite university: claim

Chinese state-sponsored attackers appear to be carrying out network reconnaissance of several organisations in Alaska, Nairobi, Kenya and Germany, using the assets of an elite university, the security firm Recorded Future claims.

In a research brief published on Thursday, the company, which has close links with In-Q-Tel, the CIA’s investment arm, and Google Ventures, said these findings came in the wake of its finding Chinese campaigns targeting the Tibetan community and being carried out from Tsinghua University, an elite Chinese institution.

The Tibetans were being targeted via a Web server that was running on a CentOS system – a clone of Red Hat Enterprise Linux. It had what was described as "a novel Linux backdoor called 'ext4'".

Recorded Future's Sanil Chohan, Winona DeSombre and Justin Grosfelt said among the targets were the Alaskan State Government, its Department of Natural Resources, the UN office in Nairobi and the Kenya Ports Authority.

Apart from these, targeted scanning was noticed to be aimed at the office of Germany's Daimler AG, a day after it reduced its profit outlook for the year due to the growing US-China trade tensions.

"In several cases, these activities occurred during periods of Chinese dialogue for economic co-operation with these countries or organisations," the trio wrote.

"We assess with medium confidence that the network reconnaissance activities we uncovered were conducted by Chinese state-sponsored actors in support of China’s economic development goals."

The three researchers found the following:

  • Tsinghua IP 166.111.8[.]246 engaged in network reconnaissance targeting organisations in Alaska, Kenya, Brazil, and Mongolia during times of economic dialogue or publicity around China’s investment in foreign infrastructure projects concerning China’s flagship Belt and Road Initiative.
  • The network reconnaissance activity against Alaskan organisations increased following a trade delegation trip led by the Alaska governor to China in late May. Organisations targeted by the reconnaissance activity were in industries at the heart of the trade discussions, such as oil and gas.
  • The targeting of Daimler AG was observed a day after it announced a profit warning in light of the growing US-China trade tensions.
  • The Tsinghua IP made at least one attempt to subscribe to a US-based hotel’s high-speed Internet portal. It was assessed with low confidence that this may demonstrate an intent to breach Nomadix Internet gateways within the hospitality sector running vulnerable WindWeb servers.
  • The Tsinghua IP repeatedly attempted to connect with a Tibetan network that was compromised with a highly sophisticated backdoor, “ext4.”
  • “ext4” only allowed incoming TCP 443 connections to the compromised network during a 180-second window every hour, with packets requiring a unique combination of TCP header options to successfully connect. In over 20 observed attempts, the Tsinghua IP did not transmit the correct TCP options to activate the backdoor. This suggested:
  • The threat actors connecting from the Tsinghua IP were ill-informed of the correct “ext4” backdoor connection sequence and were making mistakes.
  • The targeting of the Tibetan network is not associated with the presence of the “ext4” backdoor and the network was being probed in line with wider geopolitical and economic network reconnaissance activity being conducted by the Tsinghua IP.

The detailed research report is here.


Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.


Popular News




Guest Opinion


Sponsored News