A document leak has exposed that hackers affiliated with a Chinese state-linked security contractor targeted government agencies in Southeast Asia over an extended period. The affected countries include Thailand, Vietnam, Malaysia, Indonesia, Myanmar, and Cambodia.
This revelation sheds light on a previously undisclosed aspect of cyberespionage in regions where China maintains significant political and economic relationships. The breached systems include both state entities and private companies. Analysts assert that these cyberattacks align with a consistent trend of Chinese actors engaging in cyberespionage against smaller, more susceptible neighboring nations. The objective appears to involve monitoring sensitive issues and acquiring information related to Western technology companies operating in the region.
Join us on Telegram: https://t.me/tfiglobal
“China is a great power and has deep interests in Southeast Asia,” said Gatra Priyandita, a Southeast Asia expert at the Australian Strategic Policy Institute’s (ASPI) International Cyber Policy Centre. “They want to know what’s going on, and cyber tools help in supporting their efforts to win over officials. There’s also an interest in sensitive information and intellectual property.”
In mid-February, over 500 files originating from the Shanghai-based security contractor I-Soon, also known as Anxun, surfaced online. This unusual release garnered attention from media and cybersecurity experts, who promptly authenticated the files. Chinese law enforcement announced an investigation into the circumstances surrounding the data leak.
Among the disclosed documents was a spreadsheet detailing approximately 80 targets infiltrated by I-Soon, with nearly one-third situated in Southeast Asia. Notably, the list featured eight Thai government agencies, such as the National Intelligence Agency and the Ministry of Interior, along with two state-owned telecom companies and the largest mobile operator in the country, all identified as hacking targets between 2020 and 2022.
The leaked documents also highlighted the presence of Malaysian agencies, government targets in Vietnam, Indonesia, Cambodia, and Myanmar, as well as a telecommunications operator in the Philippines. Despite the significance of these revelations, officials from Thailand, Malaysia, Indonesia, and Vietnam have yet to respond to requests for comments on the matter.
Read More: China Showcases Naval Might with Enhanced Coast Guard Fleet
The cyberattacks conducted by I-Soon exhibited variations in timing and scale. Some instances were elucidated through notes detailing the extent of access achieved by I-Soon, including specifics like “hundreds of machines in the domain” and “office network” for Cambodia’s Financial Management Information System site. This site, a World Bank-backed initiative, functions as Cambodia’s central budget and finance apparatus.
Meas Soksensan, spokesperson for the Ministry of Economy and Finance, conveyed that he had not been informed about the I-Soon hacks. Subsequently, he emphasized the robustness and security of the established security system, asserting that no issues had been encountered.
Experts interviewed highlighted the ambiguity surrounding the dates in the spreadsheet, making it unclear whether they signified the commencement or conclusion of the hacking activities. Additionally, experts suggested the possibility of some ongoing operations. Palo Alto Networks, a U.S.-based cybersecurity company, has documented connections between I-Soon’s tactics and previous Chinese-state-affiliated advanced persistent threat (APT) campaigns, known for their capacity to operate covertly over extended durations.
The spreadsheet, while not disclosing specific clients, revealed I-Soon’s contractual engagements with various Chinese government entities, including the nation’s principal police agency. Documents also indicated the targeting of networks in Hong Kong and self-governing Taiwan, claimed by China as its territory, alongside actions against overseas Chinese dissidents.
Since the mid-2000s, Southeast Asia has confronted Chinese cyberespionage. Recent research documents unveil successful schemes directed at regional ministries, exemplified by the theft of numerous emails from the Association of Southeast Asian Nations (ASEAN). These activities employed tactics like “backdoor” malware within software updates and email phishing, strategically designed to deceive users into revealing confidential information.
Notably, these cyberattacks often coincided with geopolitical events of concern to China, such as ASEAN meetings or tensions in the South China Sea, where overlapping territorial claims exist between Beijing and its neighboring nations.
Abdul Rahman Yaacob, a research fellow at the Lowy Institute’s Southeast Asia Program, highlighted the particular interest I-Soon showed in foreign affairs ministries, notably in Thailand, Indonesia, and Vietnam, along with an emphasis on defense ministries.
“The main point of doing these attacks, especially in these specific government departments or ministries, is to understand and get data on their strategic assessments, their military developments, and their security,” he said.
Beyond government entities, hacking extends to private sectors. A 2022 report from the Australian Strategic Policy Institute (ASPI) reveals that, by 2020, private entities in Southeast Asia, such as universities and companies, constituted 15.4% of global advanced persistent threat (APT) targeting, a notable increase from the 3.6% reported in 2014.
Read More: Biden Curbs Personal Data Transfers in China Standoff
The heightened focus on private entities in the region may be attributed to the interest of Chinese hackers in infiltrating Western technology giants. Priyandita, associated with ASPI, suggests that these hackers encounter challenges in directly breaching such prominent targets.
“Because it’s hard to get to Microsoft, they may target a company in Thailand that’s doing business with Microsoft,” Priyandita said. “They may get access to potential information that will find vulnerabilities within the supply chain for Microsoft, and get to the IP (intellectual property) that way.”
Acknowledging security breaches poses a challenge for Southeast Asian governments and companies, with a tendency to underreport or even deny such incidents, as analysts point to the intricate technical and legal complexities associated with identifying and attributing these breaches to Chinese state actors.
Even in cyber-mature nations like Singapore, the relentless pace, extensive scale, and frequent occurrences of these cyberattacks present formidable challenges. Elina Noor, a senior fellow at the Carnegie Endowment for International Peace’s Asia Program, emphasizes the overwhelming nature of these attacks and notes a lack of political will to publicly identify and call out the perpetrators, even when identified.
However, recognizing the escalating threat landscape, ASEAN has taken steps to elevate cybersecurity as a priority. In 2018, it emerged as the sole regional association to adopt the United Nations’ 11 norms of state behavior in cyberspace. Recently, the establishment of a center for cooperation among ASEAN defense establishments against cyberattacks further underscores the collective efforts to address the growing challenges in the region.
“There will be more attacks, by state or non-state actors, to find the weak points and extract data from ASEAN countries,” said Lowy Insitute’s Yaacob. “The main issue now is whether ASEAN can effectively develop their capabilities to protect their digital economies and strategic interests.”