Cyber Incident Victim: Strathmore University
Date:
May 2018
Location:
Kenya
Summary
Chinese state-sponsored cyberespionage operations originating from Tsinghua University infrastructure conducted network reconnaissance targeting Strathmore University in Kenya alongside other organizations aligned with China's Belt and Road Initiative objectives. The activity included aggressive scanning of Kenyan networks following geopolitical tensions, with the Tsinghua-linked IP probing educational institutions, government entities, and critical infrastructure to identify vulnerabilities, though no confirmed malware deployment was observed against the university. This campaign reflected broader Chinese economic intelligence-gathering efforts against strategic foreign targets during diplomatic engagements.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March and June 2018, Recorded Future’s Insikt Group identified cyberespionage activities originating from IP address 166.111.8[.]246, registered to Tsinghua University in Beijing. This IP engaged in extensive network reconnaissance targeting organizations across multiple countries, including Kenya’s Strathmore University, as part of a broader campaign aligned with China’s geopolitical and economic objectives. The activity involved systematic port scanning of strategic entities during periods of diplomatic engagement, such as Alaska’s trade delegation visit to China in May 2018 and Kenya’s rejection of a China-EAC free trade agreement in late May. The Tsinghua IP specifically scanned ports 22, 53, 80, 389, and 443 on Kenyan networks, including Strathmore University’s infrastructure, the Kenya Ports Authority, and the United Nations Office in Nairobi. This coincided with Kenya’s critical role in China’s Belt and Road Initiative (BRI), particularly its Maritime Silk Road component. Concurrently, the same IP attempted connections to a Tibetan network compromised by the “ext4” Linux backdoor—a stealthy tool activated via TCP 443 during hourly three-minute windows—though none succeeded due to incorrect TCP header configurations.
The reconnaissance against Strathmore University occurred alongside scans targeting BRI-linked entities in Mongolia, Brazil, and Germany, including Daimler AG following its profit warning amid U.S.-China trade tensions. Technical analysis revealed the Tsinghua IP functioned as an internet gateway or VPN endpoint, hosting services like PPTP, MySQL, and OpenSSH. Metadata indicated prior malicious activity, including brute-force attacks and exploitation attempts. While no malware deployment was confirmed at Strathmore or other scanned entities, the timing and targeting suggested state-sponsored coordination. Defensive measures recommended blocking the Tsinghua IP and scanning for the “ext4” backdoor’s unique file paths (/usr/bin/ext4, /tmp/0baaf161db39) and Yara signatures. The incident underscored China’s use of academic infrastructure for cyber operations supporting domestic stability goals and BRI economic expansion, with Tsinghua University’s institutional ties to state programs like the 863 Plan further contextualizing the activity.