Western think tanks and NGOs researching China's economic policy, defence and military, and other aspects of the communist nation as well as US-China relations have been targeted by Chinese hackers, with at least four think tanks and two NGOs being affected.
The cyberattacks took place in October and November and saw hackers operate during Beijing business hours.
Security researchers at CrowdStrike, who uncovered the attacks, said that previous cyberespionage operations have generally been similar to "smash-and-grab" robberies, involving hackers indiscriminately stealing data.
However, in this case, the attacks saw hackers specifically go after "the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, US-Sino relations, cyber governance, and democratic elections".
CrowdStrike VP of intelligence, Adam Meyers, told ArsTechnica that hackers who mounted the attacks were likely employed by a private company that was contracted by the Chinese military.
"Nearly all the affected organisations likely maintain close ties to Western government officials. This makes them an attractive target for mounting further attacks against government-supporting sectors, since the intruders can masquerade as trusted sources when sending spear-phishing emails," CrowdStrike security researcher Adam Kozy, said in a blog.
The hackers also used known tools such as the "China Chopper" webshell and the credential-stealing tool Mimikatz, which helped bolster the security researchers' attribution to Chinese hackers. The attackers also searched for specific terms such as "china", "cyber", "japan", "korea", "chinese" and "eager lion".
ArsTechnica reported that Eager Lion could likely be of special interest to China since it is a demonstration of how the US military collaborates with foreign nations' military at times of crisis. Information from Eager Lion could potentially provide China with the ability to look for weak spots, according to Myers.
CrowdStrike researchers noted that in one case, the hackers repeatedly and persistently attempted to break into the networks of a think tank. However, when the attempted intrusion failed, the hackers then launched a DDoS attack against the target's website. CrowdStrike reearchers say that this is the first time they have observed a Chinese cyberspionage group conduct disruptive attacks against a target — an act that is unusual in a cyberespionage operation.
"This case is notable for several reasons. First, the adversary showed a high degree of persistence and dedication to compromising the target, over the course of a week. The multiple attempts to gain access also highlight the likely importance of the project and/or reveal that the adversary was under specific time constraints," Kozy said.
"China's renewed interest in targeting Western think tanks and NGOs is hardly surprising given President XI Jinping's call to improve China's think tanks, a response to myriad new strategic problems facing China as it seeks greater influence as a global player. The targeting of these six organisations may signal a more widespread and active campaign to collect sensitive material and enable future operations."