Cyber Incident Victim: Alaska Department of Natural Resources

Between March and June 2018, infrastructure registered to Tsinghua University in Beijing, a state-owned academic institution historically linked to Chinese state-sponsored cyber operations, conducted extensive network reconnaissance targeting the Alaska Department of Natural Resources (DNR) and other Alaskan entities. The activity originated from IP address 166.111.8[.]246, part of a /16 CIDR block assigned to Tsinghua University and resolving to the China Education and Research Network Center. This IP engaged in systematic scanning of ports 22, 53, 80, 139, 443, 769, and 2816 across networks belonging to the Alaska Communications Systems Group, Alaska Power & Telephone Company, TelAlaska, the State of Alaska Government, and the Alaska DNR. Over one million connection attempts were recorded between April 6 and June 24, 2018, with the majority constituting bulk scans of entire IP ranges to identify vulnerabilities. The targeting coincided with Alaska’s "Opportunity Alaska" trade delegation to China in late May 2018, led by Governor Bill Walker to discuss energy projects including a proposed Alaska-China gas pipeline. Scanning activity initially spiked in late March 2018 following the governor’s announcement of the delegation, decreased during the delegation’s visit from May 20-28, then intensified significantly after the delegation’s departure. A secondary surge occurred between June 20-24, 2018, immediately following Governor Walker’s announcement of planned meetings with U.S. and Chinese officials in Washington D.C. to address trade disputes.

The reconnaissance aligned with broader Chinese economic objectives under the Belt and Road Initiative (BRI), as the same Tsinghua IP simultaneously probed networks in Kenya, Brazil, Mongolia, and Germany. In Kenya, scanning targeted the Kenya Ports Authority and United Nations offices in Nairobi following Kenya’s rejection of a China-East African Community trade deal. Brazilian and Mongolian government networks were probed during Chinese infrastructure investment announcements. German automotive firm Daimler AG was scanned on June 21, 2018, one day after it cited U.S.-China trade tensions in a profit warning. The Tsinghua IP also attempted connections to a Tibetan CentOS server compromised with the "ext4" Linux backdoor, though all 23 connection attempts between May-June 2018 failed due to incorrect TCP header configurations required for backdoor activation. Recorded Future identified the activity through analysis of network metadata, third-party scanning data, and VirusTotal submissions, confirming the "ext4" sample had a 0/58 detection ratio as of August 2018. No malware deployments were confirmed in the Alaskan networks, but the scale and timing of scanning indicated intent to gather strategic intelligence related to energy sector negotiations. The incident highlighted ongoing Chinese cyberespionage patterns leveraging academic infrastructure to support state economic priorities during diplomatic engagements.