Researchers uncover effort by Chinese-speaking hackers to target Afghan government

Chinese-speaking hackers recently targeted the top tiers of the Afghan government, along with the governments of other nearby nations, research published Thursday found.

According to findings from cybersecurity group Check Point Research, a hacking group known as “IndigoZebra” is involved in an ongoing espionage effort against the Afghan government through the use of malicious phishing emails.

Some of the emails masqueraded as coming from the Office of the President of Afghanistan, and targeted the Afghan National Security Council (NSC). Emails urged the targeted employee to review an attachment regarding details of a NSC press conference.

If the attachment is interacted with, a backdoor is installed on the victim’s network, with the hackers using Dropbox to stay undetected. Check Point found evidence that this backdoor was used to access desktop files and run scans of the network, among other malicious activities. 

“What is remarkable here is how the threat actors utilized the tactic of ministry-to-ministry deception,” Lotem Finkelsteen, the head of Threat Intelligence at Check Point Software, said in a statement Thursday. “This tactic is vicious and effective in making anyone do anything for you; and in this case, the malicious activity was seen at the highest levels of sovereignty.”

The Afghan government was not the only one in the region targeted by the same group.

Check Point found evidence of ongoing targeting of the governments of Kyrgyzstan and Uzbekistan. Check Point’s investigation into these efforts is ongoing.

Ekram Ahmed, a spokesperson for Check Point, told The Hill ahead of the report’s release that the effort against the two nations dates back to 2014.

“We can confirm that those two countries are victims, we can confirm that their governments were part of the vocitiminization, but we can’t say more than that,” Ahmed said.

Finkelsteen noted that beyond Kyrgyzstan and Uzbekistan, other nations were likely targeted by the hacking group, adding that Check Point was sharing information on the attacks in an effort to learn more.

“It’s possible that other countries have also been targeted by this hacker group, though we don’t know how many or which countries,” Finkelsteen said. “Hence, we’re sharing a list of other possible domains used in the attack at this time, in hope that their names can be leveraged by other cyber researchers for contribution to our own findings.”

While a motive was not immediately clear, all three nations confirmed to be targeted in the espionage effort are close neighbors of China. Ahmed said that the proximity was likely a major factor.

“My guess is that they are trying to gain intelligence in order to gain more power and leverage,” Ahmed said.

China, along with Russia, Iran, and North Korea, is regarded as one of the most prolific countries from which cyber criminals operate. Check Point previously published findings in May than another Chinese-speaking group was targeting members of the Uyghur Muslim community in China and abroad as part of a surveillance effort.