Cyber Incident Victim: Mongolian University of Science and Technology
Date:
Apr 2018
Location:
Mongolia
Summary
Chinese state-sponsored actors originating from Tsinghua University infrastructure conducted cyberespionage operations, including network reconnaissance targeting the Mongolian University of Science and Technology alongside other geopolitical entities. This activity aligned with China's Belt and Road Initiative objectives, focusing on strategic economic interests through scanning and probing networks to identify vulnerabilities. The threat actors employed a sophisticated Linux backdoor ("ext4") against Tibetan communities and systematically probed organizations during periods of bilateral economic dialogue, indicating coordinated intelligence-gathering efforts to advance national economic goals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March and June 2018, a cyberespionage campaign originating from IP address 166.111.8[.]246, registered to Tsinghua University in Beijing, conducted extensive network reconnaissance targeting organizations across multiple countries, including the Mongolian University of Science and Technology. Recorded Future's Insikt Group identified this activity while analyzing a novel Linux backdoor called "ext4" deployed against Tibetan communities. The Tsinghua IP engaged in systematic scanning of ports 22, 53, 80, 139, 443, 769, and 2816 on victim networks, with a focus on entities linked to China's Belt and Road Initiative (BRI) economic development strategy. Between April 6 and April 12, 2018, the IP repeatedly attempted connections to the Mongolian University of Science and Technology and Mongolia's National Data Center Building. These reconnaissance activities coincided with Mongolia's strategic importance in the Silk Road Economic Belt component of BRI, which proposed a China-Mongolia-Russia economic corridor. The scanning patterns aligned temporally with Chinese infrastructure investments in Mongolia and broader regional BRI negotiations, suggesting intelligence gathering to support China's economic objectives.
The threat actor employed Tsinghua University infrastructure, which hosted multiple services including PPTP, MySQL, MAMP, OpenSSH, HTTP/SSL, and VPN IKE across numerous open ports. Metadata analysis indicated the IP likely functioned as an internet gateway or VPN endpoint. While the same IP attempted connections to a Tibetan network compromised with the "ext4" backdoor, all 23 observed connection attempts failed due to incorrect TCP header configurations required to activate the sophisticated malware. The backdoor, embedded in a CentOS web server's cron file, operated through a 180-second hourly activation window requiring specific TCP flags (NS, ECE, SYN) and XOR-encoded payload authentication. No successful "ext4" activations occurred from the Tsinghua IP, creating uncertainty about whether the Tibetan targeting and BRI-related reconnaissance involved the same threat actors. Recorded Future assessed with medium confidence that the Mongolian University scans constituted state-directed cyberespionage based on infrastructure ties to Chinese academic institutions with PLA connections, alignment with BRI investment timelines, and prior patterns of Chinese economic espionage. The campaign demonstrated China's continued use of cyber operations to monitor both domestic separatist groups and foreign entities central to its geopolitical economic initiatives.