Cyber Incident Victim: TelAlaska
Date:
Mar 2018
Location:
United States of America
Summary
TelAlaska was targeted in a network reconnaissance campaign by Chinese state-sponsored actors operating from Tsinghua University infrastructure, specifically IP 166.111.8[.]246, which conducted systematic port scanning of Alaskan organizations following trade discussions between Alaska and China. The activity, part of broader economic cyberespionage aligned with China's Belt and Road Initiative, aimed to identify vulnerabilities in critical infrastructure sectors like oil and gas, coinciding with heightened bilateral engagement and strategic negotiations. Similar scanning targeted entities in Kenya, Brazil, Mongolia, and Germany, indicating coordinated intelligence-gathering to advance China's geopolitical and economic interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between April 6 and June 24, 2018, Tsinghua University IP address 166.111.8[.]246 conducted extensive network reconnaissance targeting multiple Alaskan organizations, including TelAlaska, Alaska Communications Systems Group, Alaska Department of Natural Resources, Alaska Power & Telephone Company, and the State of Alaska Government. The activity involved over one million connection attempts systematically scanning ports 22, 53, 80, 139, 443, 769, and 2816 across entire IP ranges dedicated to these organizations. This scanning aimed to identify vulnerabilities for potential unauthorized access. The targeting coincided with Alaska Governor Bill Walker's "Opportunity Alaska" trade delegation to China in late May 2018, which focused on energy infrastructure projects including a proposed Alaska-China gas pipeline. Initial scanning activity began in late March 2018 shortly after the trade mission announcement, decreased during the delegation's visit to China from May 20-28, then intensified significantly following the delegation's departure. A secondary surge occurred June 20-24 after Governor Walker announced plans to discuss U.S.-China trade tensions in Washington D.C. The Tsinghua IP also conducted simultaneous reconnaissance against Kenyan, Brazilian, and Mongolian entities involved in China's Belt and Road Initiative infrastructure projects.
Technical analysis revealed the Tsinghua IP operated as an internet gateway or VPN endpoint with multiple open services including PPTP, MySQL, MAMP, OpenSSH, HTTP, SSL, and VPN IKE. The IP had historical associations with scanning, brute-force attacks, and exploitation attempts, flagged by multiple threat intelligence sources. During the same timeframe, the IP attempted 23 unsuccessful connections to a Tibetan network compromised with the "ext4" Linux backdoor—a sophisticated tool embedded in a CentOS cron job that activated hourly for 180-second windows. The backdoor required specific TCP header configurations (SYN+ECE+NS flags on port 443) which the Tsinghua operator failed to implement correctly. While no malware deployment was confirmed in Alaskan networks, defenders were advised to block the Tsinghua IP and scan for "ext4" artifacts (/usr/bin/ext4, /tmp/0baaf161db39). The campaign demonstrated systematic alignment with Chinese economic priorities, occurring during diplomatic engagements with targeted nations and immediately following developments affecting Chinese trade interests, such as Daimler AG's profit warning announcement preceding scans of its networks on June 21, 2018.