Research Saturday 8.25.18
Ep 50 | 8.25.18

Cyber espionage coming from Chinese University.


Dave Bittner: [00:00:00] Hey everybody, just a heads-up that the interview we're sharing on this week's Research Saturday was originally broadcast on the Recorded Future podcast, which I also host. This research from Recorded Future is gathering a lot of good notice, and we thought it worthwhile to share here as well.

Dave Bittner: [00:00:18] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:42] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:17] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Winnona DeSombre: [00:01:57] We were following up on our more recent RedAlpha campaign work, where we were tracking Chinese cyber espionage against a series of Tibetan community victims and found this really interesting Linux backdoor.

Dave Bittner: [00:02:13] That's Winnona DeSombre. She's a Threat Intelligence Researcher at Recorded Future. She's co-author of the report "Chinese Cyber Espionage Originating From Tsinghua University Infrastructure," along with her colleagues, Sanil Chohan, who we'll hear from in a moment, and Justin Grosfelt.

Winnona DeSombre: [00:02:31] And, upon analyzing the back door, we actually noticed some connections to the same web server from Tsinghua University. Now, this university is effectively the MIT of China, so it was an incredibly fascinating to find a premier Chinese academic institution trying to break into a Tibetan victim group through an incredibly novel, specifically Linux-based, backdoor.

Sanil Chohan: [00:03:00] And so that was our kind of entry point into this piece.

Dave Bittner: [00:03:03] That's Sanil Chohan. He's a Senior Threat Intelligence Analyst at Recorded Future.

Sanil Chohan: [00:03:07] We were expecting it to be a fairly straightforward piece of analysis looking at this new backdoor, reversing it, looking for some IOCs, and kind of fleshing out our technical analysis accordingly.

Dave Bittner: [00:03:19] Now, take us through some of the background here. I mean, the People's Republic of China has quite a history when it comes to Tibet.

Winnona DeSombre: [00:03:26] Yes. So, the the People's Republic of China claims complete sovereignty over Tibet, and all Tibetan independence movements are considered separatist threats, sometimes even terrorist threats, by the Chinese government. So, aside from other forms of coercion, cyber espionage against Tibetan targets is pretty up there as a frequently-used tool, especially when tensions are running pretty high.

Sanil Chohan: [00:03:52] Tibet is generally regarded as one of the Five Poisons for the Chinese state. That being, essentially, the five primary risks to the stability of the PRC government, the Chinese Communist Party. So, Tibet has long been regarded as an extension of the Chinese mainland. It's treated as such by the Chinese central government, and therefore it poses quite an interesting predicament as far as foreign relations are concerned.

Sanil Chohan: [00:04:23] The Tibetans themselves of course think of themselves as an independent nation and are striving for independence, but that's clamped down upon quite vigorously by the Chinese authorities. And we see that being played out in a variety of different arenas. On the peripheral of the Chinese mainland, the same kind of scope is played out with the Taiwanese, and also with the Falun Gong movement, which is a pseudo-religious movement that stemmed from the '50s and '60s.

Winnona DeSombre: [00:04:52] I think the first form of cyber espionage used against Tibet was called GhostNet in 2008, just used as a wider attempt to monitor certain targets of interest within that region.

Dave Bittner: [00:05:06] And Tsinghua University is at the center of your work here. Can you give us some background on what they do there, and the part they play within the Chinese community?

Sanil Chohan: [00:05:17] Absolutely. yeah. So, the Tsinghua University, it's an elite university renowned globally for its work in high-end technical research and engineering practices. It's state-controlled entirely, and it has extensive links to the Chinese state. Somewhat obviously, right? I mean, it's entirely funded by the state. But it does have a long history of affiliation with the People's Liberation Army, the PLA. For example, in 2017, the PLA had partnered with another university called Xi'An Jiaotong University to create a cyber militia program. And, you know, before that, other universities in China were kind of partnered with various elements of the Chinese state and intelligence services to conduct joint bits of research and to conduct joint operations.

Sanil Chohan: [00:06:08] And so, Tsinghua was something that, again, like I said at the start of the conversation, I mean, we weren't expecting to see the number of events probing the same device that the backdoor was found emanating from the same IP, which resolved to Tsinghua University.

Dave Bittner: [00:06:25] Now, this relationship of the university working hand-in-hand with the government on these sorts of things, was this something that was known to researchers like you, or was this a surprise?

Winnona DeSombre: [00:06:38] So, I want to be clear that we're uncertain of the actual relationship between individuals in Tsinghua conducting any sort of cyber espionage, but we do know that universities of this caliber within China have a very close relationship to the government. For example, the PLA partnered with certain universities to create cyber militia programs. Some APT17 infrastructure was connected to a professor at a different university. So this sort of cyber cooperation between academic and government institutions in China is pretty common.

Dave Bittner: [00:07:18] I see. So, walk us through what you discovered here, in terms of the actual analysis of the threat.

Winnona DeSombre: [00:07:24] When we first found the Tsinghua University IP, we ran a couple scans, found that it is likely, in all likelihood, an Internet gateway from the University. And a lot of the traffic that we found was scanning, targeting various institutions at incredibly interesting times in the geopolitical sphere. So, for example, the Tsinghua University IP targeted the Alaskan state government during a time when Governor Walker, the governor of Alaska, was initiating a trade show with other Chinese institutions, and really wanted to develop a relationship with Chinese institutions during the height of this U.S.-China trade war.

Winnona DeSombre: [00:08:22] This particular trade show was dubbed "Opportunity Alaska," and it consisted of delegates from Alaskan businesses in the fishing, tourism, architecture, and investment industries, and a lot of chatter occurred around the prospect of a gas pipeline between China and Alaska. And during the announcement of Bill Walker getting this trade delegation together, during the trade delegation in China, and right after the delegation departed China, Recorded Future noticed multiple attempts at scanning activity at Tsinghua targeting Alaskan state government institutions, as well as the Alaska Department of Natural Resources.

Sanil Chohan: [00:09:05] You know, the activity emanating from the Tsinghua IP was reconnaissance, and not active exploitation. So, we've had a few comments come back post the issuing of a report yesterday kind of questioning, you know, did we see any evidence of actual compromise? Well, no, not directly. But what we can infer from our observation of the reconnaissance, is that exploitation may well have taken place, because we've seen the activity probing some of these networks go dark in the last two months, and it was quite high levels prior to that.

Dave Bittner: [00:09:40] So, the connection here, I guess the supposition is that they're trying to gather information that might be advantageous to their negotiating process, or things like that?

Winnona DeSombre: [00:09:51] Yes. As well as other possibilities that you can get from scanning, right? So, by scanning a target system you can perhaps get a little bit more information about the technical services running on those machines, and even perhaps use that information to conduct more offensive operations against these targets in the future.

Dave Bittner: [00:10:17] So, another thing that you highlighted in the research was this thing called the "Belt and Road Initiative." Can you describe to us what's going on with that?

Winnona DeSombre: [00:10:26] So, the Belt and Road Initiative in China is effectively China's present day attempt to create the ancient Silk Road from two thousand years ago. So, by investing in these major infrastructure projects all across the world, particularly in underdeveloped or developing countries, China hopes to transform its geopolitical influence in various regions such as Africa, the Middle East, and parts of Southeast Asia.

Sanil Chohan: [00:10:58] So, we're looking at an investment program that stretches from China all the way through west, through the Caucasus region, through the Middle East into East Africa, and also kind of touching Western Europe with a key train link being established between Beijing and a city in Germany called Duisburg, I think it is. And this is all directly invested in by the Chinese state in order to corral influence, to improve the standing of their economy, and also to create opportunities and economic interests in many of those countries in between.

Sanil Chohan: [00:11:33] So, it's a multi-trillion dollar program that was announced by President Xi Jinping. It's a bit of a baby project of his, really, and he's kind of riding high in the polls as a result of pushing for this in the country. But, essentially, it's a way for the Chinese state to kind of extend their influence beyond their immediate neighborhood in East Asia.

Sanil Chohan: [00:11:58] So, it's proven to be quite an interesting trend to observe from a cyber threat analyst's perspective, because, of course, in order for the Chinese to make good on their investments, they're looking for any kind of strategic economic advantage, and the primary way in which they tend to achieve that is through cyber espionage.

Sanil Chohan: [00:12:17] And so, by looking at the potentiality or potential business relationships with any of those organizations and countries I mentioned in the report, and also to you here, I mean, that will give us a unique insight into potential business relationships and transactions that are taking place between the Chinese and those countries looking to get some money from the Chinese authorities for the BRI.

Dave Bittner: [00:12:41] And so, in terms of the scanning that they were doing related to those efforts, how did those align?

Winnona DeSombre: [00:12:47] For example, Kenya was lobbying for regional projects under this particular Belt and Road Initiative, and China's already funded major, major infrastructure projects in that country, for example, a 480 kilometer railway in Mombasa and its capital Nairobi. But, once the Kenyan Trade Principal Secretary rejected signing a China Free Trade deal, we saw spikes in network reconnaissance activity after Kenyan establishments. The same thing actually happened in Brazil, and I think it was about one month after the China Communications Construction Company began construction within one of the Brazilian ports, and certain areas in Mongolia when the Chinese proposed a new Eurasian land bridge.

Dave Bittner: [00:13:41] Now, another thing you highlighted was probing of Daimler's network. What was going on there?

Sanil Chohan: [00:13:49] Yeah, so, again, I mean, we didn't see this in our original pool of data dating back to May and early June. In fact, the Daimler paragraph was added fairly late in the day, just prior to publication, because we found the evidence of them being probed, and in a similar way to the way in which the Alaskan network and the Kenyan Ports Authority was being probed in late June. So we're looking at, again, circa 20th to 24th of June, Daimler AG networks were being probed for four specific ports.

Sanil Chohan: [00:14:23] And this, again, you know, coincided, when we were kind of doing some OSINT, it coincided with the Daimler CEO announcing that there were some profit concerns in light of the growing trade tariffs that were being levied between the Chinese and the U.S. And with China being their number one market by far, it was obviously of concern to the Daimler chain of command. And so, it was quite timely that that announcement was made publicly by Daimler, and the next day we then see the scanning pick up against the network.

Dave Bittner: [00:14:57] Yeah, and that seems to be a clear pattern here, I suppose.

Sanil Chohan: [00:15:00] Absolutely, yeah.

Dave Bittner: [00:15:01] Something topical happens, and they go out and start poking around.

Sanil Chohan: [00:15:06] Yeah, absolutely. So, I mean, the one thing that wanted to kind of project in the report was the varied victim groups. We're talking about kind of a U.S. state government entity, we're talking about a Department of Natural Resources, an official government agency. We're talking about telcos. We're looking at East African investment channels for the Chinese state that relate to the Belt and Road initiative. And also, you know, vital commercial entities, that have obviously invested heavily in China over the years, that are also expressing concern in the growing trade difficulties that are arising as a result of the policies being enacted by the Chinese and U.S. governments.

Sanil Chohan: [00:15:48] And so, the one thing we wanted to project here was that there was very clearly a pattern here. There was something kicking off in the public sphere, and some cyber espionage reconnaissance taking place in and around those public statements.

Dave Bittner: [00:16:02] So, at the center of a lot of the things you're describing here is this backdoor that you all are calling "ext4." What's going on with this?

Winnona DeSombre: [00:16:12] So, the "ext4" is a fascinating piece of malware for a couple reasons, the first one being that it's a Linux-based backdoor, which is not the usual kind of backdoor suspect. And then the second thing is how every hour the script runs for only 180 seconds. So, this is a backdoor that individuals would only have access to for three minutes every hour. So, knowing the exact time is important, or one can just continue sending packets at the server until something hits. It's fascinating because it's so tailored, and it's done a lot, not just through the 180 seconds, but also by making sure that the backdoor acts as a background process running through a cron script, that it remains fairly undetectable.

Sanil Chohan: [00:17:10] It's a very sophisticated backdoor, and that goes against the grain of generally what we've found in the course of our analysis of the targeting of the Tibetan networks, certainly in the recent few months. "Ext4," as we call it, is a Linux backdoor. It's specifically devised for the CentOS operating system, and it was sophisticated insofar as it was embedded within a cron job system file, which essentially runs every hour on the web server. It's somewhat unclear to us at the minute, with the data that we have, that "ext4" relates directly to the Tsinghua campaigns, but we can say with authority that the Tsinghua University was probing the Tibetan network like it was also probing the Alaskan networks, and the Kenyan networks, and all the others that we've stated in the report.

Dave Bittner: [00:17:59] And so, what kind of activity is going on here? Are they using it to exfiltrate information? Is that basically what's happening?

Winnona DeSombre: [00:18:08] We have not observed any particular successful activity surrounding this "ext4." The traffic that we did find from the Tsinghua IP were actually, interestingly enough, not the right packets. So, this "ext4" backdoor requires a specific TCP header and set of flags in order to be activated, in order to be accepted, and to open up the backdoor for the incoming traffic.

Winnona DeSombre: [00:18:38] And, interestingly enough, the Tsinghua IP only sent the wrong headers. So, that suggests that either there was some operational mistake, either this Chinese-based traffic was uncertain of the packet headers or made some mistake, or they don't really have as much to do with each other as, um, or they're not as closely related as one would think.

Dave Bittner: [00:19:05] So, what are your conclusions here? Discovering what you did, what are the takeaways?

Sanil Chohan: [00:19:12] So, the key takeaway for us is that it's this pattern of activity, right? The Chinese authorities are also obviously very keen in maintaining an economic strategic advantage, especially when it comes to kind of ongoing discussions for large-scale investment programs. So, what we hope we've kind of made clear in this report is that there may well be a flurry of bilateral cyber appeasement policy signed. You know, the U.S.-Chinese governments signed an agreement two years ago, or three years ago now, which kind of relaxed the concerns around the case of cyber espionage on each other.

Sanil Chohan: [00:19:54] But essentially what we're seeing here is a growing need and a solid requirement by the Chinese state to conduct espionage in line with strategic national interests. And so, the intent is very clearly kind of borne out here. Now, I would be very surprised to see if the scanning activity kind of just stopped, that scanning and reconnaissance, and if no further action was taking place. I mean, that's the key thing here for us to pick up on here, is to identify any onward exploitation in light of the TTPs that we've raised in this report.

Winnona DeSombre: [00:20:29] The biggest takeaway here is that, even if you're a business or an organization that's attempting to be friendly with China and that is cooperating with China, you're still opening yourself up for risks related to cyber espionage and reconnaissance.

Winnona DeSombre: [00:20:46] So, we've provided in the report the Yara rules and some more IOCs. But, really, the big thing to take away here is the risk factor. Obviously, having a well-thought-out incident response and communications plan is important, making sure you compartmentalize your company data so that the sensitive information is better protected than the rest, and also being aware of partner or supply chain security standards when you're doing business with a foreign organization.

Sanil Chohan: [00:21:16] It's a case of making sure that your, if you're a corporate entity, if you're a government institution that has any dealings with with China, corporately or with the state, to make sure that your intrusion detection systems and your intrusion prevention systems are configured correctly to block connections from non-standard IP addresses. So, you know, we've highlighted the Tsinghua IP in the report that we've produced. The first thing I would suggest everyone to do is to kind of alert on that IP and block any connections from it. But, you know, going forward, I mean, the likelihood is that there will be other IP addresses, there'll be novel techniques used by cyber threat actors to probe corporate networks, so it's a case of being aware of what a normal connection, a normal suite of connections would look like for your corporate network, and to monitor for any anomalies based on regular patterns of behavior.

Sanil Chohan: [00:22:13] We've also provided a Yara rule for the "ext4" backdoor, so if there's any indication of that "ext4" backdoor being deployed in your network, the Yara rule, if your host-based sensors flags up an alert, well, that's something to be concerned of, and we'd be very interested in learning more about any instances of the "ext4" backdoor being deployed anywhere around the world.

Sanil Chohan: [00:22:36] On top of that, you know, some of the kind of basic hygiene, cyber hygiene guidance is all sort of still out there. You know, keep all your software and applications up to date, make sure you're scrutinizing your email correspondence for malware, and making sure that, you know, spearphishing attempts are mitigated by stringent scrutinization of those attachments and mail services. And, you know, in terms of kind of making sure that you've compartmented your data on host networks so that, if there is a compromise, the attacker has to work doubly as hard to gain access to sensitive corporate data by making sure that that sensitive data is compartmented accordingly and protected with appropriate security measures.

Dave Bittner: [00:23:23] In general, I mean, when you look at this overall, does this really, how much does this align with what you come to expect from Chinese nation state actors? Does this fall into pretty much their typical tradecraft?

Winnona DeSombre: [00:23:36] Oh, absolutely. I think that because China is really growing into a cyber powerhouse and is determined to become this global influencer, they're going to be acting out in a more proactive and perhaps sometimes aggressive manner in cyberspace. And so, when one is trying to research these Chinese actors, I don't think that this would come as much of a surprise.

Sanil Chohan: [00:24:07] No matter who you speak to, in terms of a government agency or a corporate that has dealings with China, that they no doubt are observing, probing the network, the network perimeter by Chinese IPs. Now, what was very surprising from my perspective that the activity was actually originating from an IP that had Whois registration details resolving to Tsinghua. I would have expected to see the activity being directed through a level of obfuscation, perhaps through a VPS, or something like that. This was quite a low-hanging fruit, really. I mean, if you're a security analyst at a corporate, you know, you really need to be aware of a Tsinghua IP probing your network. I mean, in all honesty, it should be raising some concerns as you kind of look at the IP here. That's something that's fairly easy to mitigate against.

Dave Bittner: [00:25:01] Our thanks to Winnona DeSombre and Sanil Chohan from Recorded Future for joining us. The research is titled "Chinese Cyber Espionage Originating from Tsinghua University Infrastructure." You can find it on the Recorded Future website.

Dave Bittner: [00:25:17] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:25:24] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:25:33] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.