Cyber Incident Victim: Alaska Power & Telephone Company
Date:
Mar 2018
Location:
United States of America
Summary
Alaska Power & Telephone Company was targeted in network reconnaissance activity originating from a Tsinghua University IP address, alongside other Alaskan organizations including the state government and Department of Natural Resources. The scanning involved systematic probing of multiple ports to identify vulnerabilities, coinciding with Alaska's economic discussions with China following a trade delegation trip. This activity was assessed as Chinese state-sponsored cyberespionage aligned with China's strategic economic objectives, including monitoring developments related to energy infrastructure negotiations and broader Belt and Road Initiative interests. The same Tsinghua infrastructure concurrently targeted entities in Kenya, Brazil, and Mongolia during periods of economic engagement with China.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March and June 2018, Tsinghua University IP address 166.111.8[.]246 conducted extensive network reconnaissance targeting Alaska Power & Telephone Company and other Alaskan entities including the State of Alaska Government, Alaska Department of Natural Resources, Alaska Communications Systems Group, and TelAlaska. Recorded Future's Insikt Group first observed scanning activity in late March 2018, coinciding with Alaska Governor Bill Walker's announcement of a trade delegation to China. The threat actor systematically scanned entire IP ranges belonging to these organizations, focusing on ports 22, 53, 80, 139, 443, 769, and 2816 to identify vulnerabilities. Activity patterns showed distinct operational phases: initial probing began weeks before the "Opportunity Alaska" trade mission departed in May 2018, decreased during the delegation's in-person meetings in China, then surged significantly after delegates returned to Alaska in late May. A secondary spike occurred between June 20-24 following Governor Walker's announcement of planned discussions with U.S. and Chinese officials regarding trade disputes. The reconnaissance specifically targeted industries central to Alaska-China trade negotiations, particularly oil and gas infrastructure sectors.
The same Tsinghua infrastructure simultaneously conducted geopolitical scanning aligned with China's Belt and Road Initiative (BRI), targeting Kenya Ports Authority, United Nations offices in Nairobi, Mongolian government networks, and Brazilian infrastructure organizations. These activities consistently coincided with key economic dialogues, such as scanning Kenyan networks after Kenya rejected a China-EAC trade deal and probing Brazilian state networks during Chinese port construction projects. While the threat actors attempted connections to a sophisticated Linux backdoor ("ext4") on a Tibetan CentOS server, all 23 observed connection attempts failed due to incorrect TCP header configurations. Recorded Future confirmed the Tsinghua IP engaged in brute-force attacks, exploitation attempts, and suspicious interactions with U.S. hotel network infrastructure, including attempts to access a Florida Holiday Inn's Nomadix gateway running vulnerable WindWeb servers. No malware deployment was confirmed against Alaskan targets, but the sustained reconnaissance created potential compromise risks for critical infrastructure operators like Alaska Power & Telephone Company. Defensive measures included network monitoring for the Tsinghua IP and scanning systems for "ext4" backdoor indicators such as specific file paths and XOR-encoded payload patterns.