China hacked Alaska after trade mission

STATE GOVERNMENT, COMPANIES SCANNED BY CHINESE STATE-SPONSORED HACKERS

After Alaska Gov. Bill Walker’s trade mission to China with an entourage of Alaska business owners, Chinese hackers using computers at a highly regarded Chinese university probed Alaska companies and government agencies to look for espionage opportunities.

The cybersecurity firm Recorded Future said the hackers targeted the State of Alaska in the weeks before and after the Alaska trade mission in May.

Some of the groups that went with the governor on the May 19-26 trip were also targeted by the hackers. One of the key goals of the trip was to forge agreements for a natural gas pipeline that the Chinese would finance and manage construction of for the State of Alaska.

The Recorded Futures website reported today that the following Alaska entities were probed by the Chinese hackers between April 6 and June 24, with over one million IP connections detected between the Tsinghua University IP and several networks in Alaska including:

• Alaska Communications Systems
• Alaska Department of Natural Resources
• Alaska Power & Telephone Company
• State of Alaska
• TelAlaska

“The vast number of connections between the Tsinghua IP and the above organizations relate to the bulk scanning of ports 22, 53, 80, 139, 443, 769, and 2816 on the Alaskan networks and were likely conducted to ascertain vulnerabilities and gain illegitimate access. The scanning activity was conducted in a systematic manner with entire IP ranges dedicated to the organizations probed for the above ports.

The group began its discovery of the Alaska breach while looking for hacking attempts that were targeting the Tibetan community, which  seeks independence from Communist China.

“This targeting of the the State of Alaska Government followed Alaska’s large trade mission into China dubbed “Opportunity Alaska.” This trade mission occurred in late May and was led by Bill Walker, governor of Alaska. During these talks, one of the highest-profile discussions occurred around the prospect of a gas pipeline between Alaska and China. Despite fears of a China-U.S. trade war, Gov. Walker’s office stated that the trade mission “represent[ed] some of the best Alaska has to offer, and… [highlighted] the wide scope of our shared interests with our largest trade partner.” Opportunity Alaska consisted of delegates from Alaskan businesses in the fishing, tourism, architecture, and investmentindustries, and made stops in Beijing, Shanghai, and Chengdu.

“Following our research uncovering the Chinese RedAlpha campaigns targeting the Tibetan community, Recorded Future’s Insikt Group identified a novel Linux backdoor called “ext4,” deployed against the same Tibetan victim group. By analyzing the backdoor, we uncovered repeated attempted connections to the same compromised CentOS web server emanating from infrastructure registered to Tsinghua¹ University, an elite Chinese academic institution.

“We also identified network reconnaissance activities being conducted from the same Tsinghua University infrastructure targeting many geopolitical organizations, including the State of Alaska Government, Alaska’s Department of Natural Resources, the United Nations office in Nairobi, and the Kenya Ports Authority. Additionally, we identified the targeted scanning of German automotive multinational Daimler AG that began a day after it cut its profit outlook for the year, citing the growing trade tensions between the U.S. and China. In several cases, these activities occurred during periods of Chinese dialogue for economic cooperation with these countries or organizations.

“We assess with medium confidence that the network reconnaissance activities we uncovered were conducted by Chinese state-sponsored actors in support of China’s economic development goals.

The complete report with screenshots of the codes that support the Recorded Futures claims can be found here.