At least four Western think tanks and two non-government organisations were targeted in Chinese cyber- espionage activities this past October and November, according to a new report from CrowdStrike. And in one unusual attack, the adversaries launched a distributed denial of service attack against one think tank after failing to compromise its web server.
In a Wednesday blog post, researchers from CrowdStrike's Falcon Intelligence and OverWatch teams reported that these cyber-spy operations specifically sought to intercept the communications of Westerners involved in Chinese economic policy research and the Chinese economy. Also targeted were experts in defence, international finance, US-Sino relations, cyber-governance, and democratic elections.
The system intrusions typically relied on the China Chopper webshell for reconnaissance and lateral movement, as well as credential harvester Mimikatz and various second-stage tools, the report added.
CrowdStrike notes that these recent attacks sharply contrast from observed Chinese cyber-espionage activity in the preceding months, which focused more on Southeastern and Eastern Asia region. Previous Chinese attacks against think tanks were also less targeted, consisting largely of “smash and grab” operations designed to indiscriminately exfiltrate data, the report continues.
In a first for the company, CrowdStrike researchers also observed a China-based adversary engaging in a disruptive DDoS attack against an espionage target – a bizarre strategy that contradicts the actors' typical m.o. of remaining clandestine.
In this specific case, an attacker attempted to compromise the web server of a think tank involved in an ongoing military research project, using spearphishing emails as the initial attack vector. When CrowdStrike managed to block repeated attempts at compromising the server with web shells and SQL injections the attackers mysteriously launched a DDoS attack on the site.
“The purpose of the attack is unclear, as it did not appear to benefit the espionage objective,” the report states. “Given the timing and subsequent failures at gaining access to what is presumably a high-value target, this DDoS attack could have been done out of frustration.”
“China's renewed interest in targeting Western think tanks and NGOs is hardly surprising given [Chinese] President Xi Jinping's call to improve China's think tanks, a response to myriad new strategic problems facing China as it seeks greater influence as a global player,” CrowdStrike concludes in its blog post. “The targeting of these six organisations may signal a more widespread and active campaign to collect sensitive material and enable future operations."