Cyber Incident Victim: Alaska Communications
Date:
May 2018
Location:
United States of America
Summary
Chinese state-sponsored actors operating from Tsinghua University infrastructure conducted network reconnaissance targeting Alaska Communications, the state's Department of Natural Resources, and government networks, coinciding with bilateral economic dialogues. The activity involved systematic port scanning of strategic Alaskan entities following trade discussions, aligning with broader cyberespionage patterns supporting China's Belt and Road Initiative interests in multiple countries. While the same infrastructure unsuccessfully attempted connections to a sophisticated Linux backdoor ("ext4") deployed against Tibetan targets, the reconnaissance against Alaskan networks demonstrated focused intelligence-gathering to advance China's economic objectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-2018, Recorded Future’s Insikt Group identified a Linux backdoor dubbed "ext4" targeting a CentOS web server affiliated with the Tibetan community. Analysis revealed 23 connection attempts to the compromised server between May and June 2018, all originating from IP address 166.111.8[.]246, registered to Tsinghua University in Beijing. This IP engaged in extensive network reconnaissance against multiple geopolitical targets, including Alaska Communications Systems Group, Alaska Department of Natural Resources, Alaska Power & Telephone Company, State of Alaska Government, and TelAlaska. Between April 6 and June 24, 2018, over one million connections from the Tsinghua IP targeted these Alaskan entities, systematically scanning ports 22, 53, 80, 139, 443, 769, and 2816 to identify vulnerabilities. The activity coincided with Alaska Governor Bill Walker’s "Opportunity Alaska" trade delegation to China in late May 2018, which focused on energy infrastructure projects like a proposed Alaska-China gas pipeline. Scanning intensified in late March following the delegation’s announcement, decreased during the delegation’s visit, then surged post-visit and again between June 20-24 after Governor Walker announced plans to discuss U.S.-China trade tensions in Washington, D.C.
The Tsinghua IP also conducted reconnaissance against organizations in Kenya, Brazil, Mongolia, and Germany, aligning with China’s Belt and Road Initiative (BRI) economic goals. In Kenya, scans targeted the Kenya Ports Authority, United Nations Office in Nairobi, and education networks shortly after Kenya declined a China-East African Community trade deal in May 2018. Brazilian scans focused on the Ministério Público do Estado Do Amapá during Chinese port construction in Maranhão. Mongolian scans occurred in April 2018 amid BRI corridor planning. On June 21, 2018, the IP probed German automaker Daimler AG’s networks (ports 139, 22, 443, 53) one day after Daimler cited U.S.-China trade tensions in a profit warning. The IP also attempted to access a Holiday Inn internet portal via Safety NetAccess’s SNAP software, suggesting interest in vulnerable Nomadix gateways. The "ext4" backdoor used sophisticated TCP header options (SYN, ECE, NS flags on port 443) and XOR-encoded payloads triggered by "anti:" strings, but Tsinghua connection attempts failed to activate it. Recorded Future found no malware in scanned organizations but assessed with medium confidence that the activity supported Chinese state economic objectives, leveraging Tsinghua infrastructure historically linked to state-sponsored cyber operations.