Cyber Incident Victim: Mongolian National Data Center Building
Date:
Apr 2018
Location:
Mongolia
Summary
Chinese state-sponsored actors leveraged Tsinghua University infrastructure to conduct network reconnaissance targeting the Mongolian National Data Center Building alongside other strategic entities in Alaska, Kenya, and Brazil. This activity aligned with China's Belt and Road Initiative economic goals, focusing on geopolitical organizations engaged in trade discussions or infrastructure partnerships with Chinese state entities. The threat actors systematically scanned ports to identify vulnerabilities, though no confirmed malware deployment was observed at the Mongolian site. The operation demonstrated consistent targeting of nations involved in China's foreign investment programs, reflecting broader cyberespionage efforts to advance national economic interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between March and June 2018, Recorded Future's Insikt Group identified cyberespionage activities originating from IP address 166.111.8[.]246, registered to Tsinghua University in Beijing, targeting multiple geopolitical entities including the Mongolian National Data Center Building. The Tsinghua IP conducted systematic network reconnaissance against organizations in Alaska, Kenya, Brazil, and Mongolia during periods of economic dialogue with China, particularly around infrastructure investments tied to China's Belt and Road Initiative (BRI). In Mongolia, repeated connection attempts occurred between April 6-12, 2018, coinciding with Mongolia's role in the BRI's China-Mongolia-Russia Economic Corridor. The same IP simultaneously scanned Alaska's Department of Natural Resources following Governor Bill Walker's trade mission to China, probed Kenyan Ports Authority networks after Kenya declined a China-EAC trade deal, and targeted Brazilian state networks during Chinese port construction in Maranhão. Technical analysis revealed the Tsinghua IP acted as an internet gateway or VPN endpoint with multiple open ports (including PPTP, MySQL, and HTTP services), conducting over one million connections to Alaskan networks alone through bulk scanning of ports 22, 53, 80, 139, 443, 769, and 2816. Metadata indicated the IP was likely a proxy for true originating machines, with historical links to Chinese state-sponsored operations through Tsinghua's affiliations with China's 863/973 technology programs and CITIC Group's documented ties to PLA technology theft operations.
The incident also involved discovery of the "ext4" Linux backdoor on a Tibetan CentOS web server, though no successful connections were established from the Tsinghua IP despite 23 attempted TCP 443 connections between May-June 2018. The backdoor required precise TCP header configurations (NS+ECE+SYN flags, XOR-encoded "anti:" payload validation) during a 180-second hourly activation window, which the Tsinghua operators failed to implement correctly. While the Tibetan targeting aligned with China's "Five Poisons" doctrine against perceived domestic threats, the Mongolian data center scans formed part of broader BRI-related cyberespionage rather than direct association with the "ext4" malware. Third-party metadata confirmed the Tsinghua IP's scanning patterns correlated with specific geopolitical events, including Daimler AG targeting after profit warnings linked to U.S.-China trade tensions. No malware was confirmed on Mongolian systems, but the reconnaissance activities demonstrated systematic probing of critical infrastructure networks during sensitive diplomatic periods. The incident highlighted dual Chinese cyber operations against both domestic separatist groups and foreign economic targets, with Tsinghua University infrastructure serving as a conduit for state-aligned espionage activities spanning multiple continents and strategic sectors.