Cyber Incident Victim: Daimler AG
Date:
Jun 2018
Location:
Germany
Summary
Daimler AG was targeted in network reconnaissance activities originating from a Chinese state-sponsored threat actor using Tsinghua University infrastructure, following the company's profit warning announcement linked to U.S.-China trade tensions. The same IP address conducted widespread scanning of geopolitical and economic entities aligned with China's Belt and Road Initiative objectives, including government and commercial networks in Alaska, Kenya, Brazil, and Mongolia, indicating coordinated cyberespionage to advance national economic interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 21, 2018, network reconnaissance activity originating from IP address 166.111.8[.]246—registered to Tsinghua University in Beijing—targeted German automotive multinational Daimler AG. This activity specifically scanned ports 139, 22, 443, and 53 on Daimler networks, occurring one day after the company reduced its annual profit outlook citing U.S.-China trade tensions. The scanning aligned with broader geopolitical reconnaissance patterns from the same Tsinghua IP, which targeted organizations during periods of economic significance to China’s strategic interests. Between March and June 2018, this IP conducted systematic port scanning against entities in Alaska, Kenya, Brazil, and Mongolia, often coinciding with high-level trade discussions or China’s Belt and Road Initiative (BRI) investments. In Alaska, over one million connections targeted state agencies and energy firms following Governor Bill Walker’s trade delegation to China, with scanning intensity fluctuating around key diplomatic events. Similar activity targeted Kenyan ports and Brazilian state infrastructure during BRI-related negotiations.
The Tsinghua IP’s connection attempts to Daimler involved no observed malware deployment, with analysis relying on third-party network metadata. The same infrastructure unsuccessfully attempted 23 connections to a Tibetan CentOS server compromised by the “ext4” Linux backdoor between May and June 2018, failing to transmit required TCP header options for activation. While the IP engaged in widespread scanning, its operators demonstrated no technical coordination with the “ext4” backdoor operators. Daimler’s systems showed no evidence of compromise in available data, though the targeting reflected China’s documented pattern of economic cyberespionage during trade disputes. The incident highlighted Tsinghua University infrastructure’s role in state-aligned operations, consistent with historical ties between Chinese academic institutions and cyberespionage campaigns supporting national economic objectives.