Cyber Incident Victim: State of Alaska Government
Date:
Mar 2018
Location:
United States of America
Summary
Chinese state-sponsored actors conducted network reconnaissance targeting the State of Alaska Government and its Department of Natural Resources, leveraging infrastructure associated with Tsinghua University. The activity aligned with China's Belt and Road Initiative economic goals, focusing on sectors central to bilateral trade discussions such as oil and gas. The reconnaissance involved systematic scanning of Alaskan networks to identify vulnerabilities, coinciding with diplomatic engagements and escalating trade tensions between the U.S. and China. This operation was part of broader cyberespionage efforts against geopolitical entities of strategic interest to Chinese economic development.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between March and June 2018, a Tsinghua University-associated IP address (166.111.8[.]246) conducted extensive network reconnaissance targeting multiple Alaskan organizations, including the State of Alaska Government, Alaska Department of Natural Resources, Alaska Communications Systems Group, Alaska Power & Telephone Company, and TelAlaska. The activity involved over one million connection attempts, systematically scanning ports 22 (SSH), 53 (DNS), 80 (HTTP), 139 (NetBIOS), 443 (HTTPS), 769, and 2816 across dedicated IP ranges belonging to these entities. This scanning aimed to identify vulnerabilities for potential unauthorized access. The targeting timeline aligned closely with Alaska's economic engagements with China, beginning in late March 2018 shortly after Governor Bill Walker announced a trade delegation to China. Activity intensified days before the "Opportunity Alaska" delegation arrived in China on May 20, 2018, paused during the delegation's visit, then surged again as delegates departed in late May. A secondary spike occurred between June 20-24, coinciding with Governor Walker's announcement of planned meetings in Washington, D.C., to address U.S.-China trade tensions. The Alaska Department of Natural Resources, overseeing oil and gas resources central to trade discussions about a proposed Alaska-China gas pipeline, was persistently targeted.
The Tsinghua IP's activities extended beyond Alaska to include network probing against entities in Kenya, Brazil, Mongolia, Germany, and a U.S.-based hotel internet gateway. Kenyan targets included the United Nations Office in Nairobi and Kenya Ports Authority following Kenya's rejection of a China-East African Community trade deal. Brazilian scans focused on the Ministério Público do Estado Do Amapá after China's $520 million port investment announcement. Mongolian government and university networks were probed during discussions on China-Mongolia-Russia economic corridors under the Belt and Road Initiative (BRI). On June 21, 2018, the IP scanned Daimler AG networks one day after the company cited U.S.-China trade tensions in a profit warning. The IP also attempted to interact with a Holiday Inn hotel gateway in Florida via Safety NetAccess’s SNAP portal, potentially targeting vulnerable Nomadix WindWeb servers. Recorded Future attributed these activities with medium confidence to Chinese state-sponsored actors based on infrastructure ties to Tsinghua University—a state-owned institution linked to China’s 863/973 technology development programs—and precise alignment with China’s BRI economic dialogues. While no malware deployment was confirmed in Alaskan networks, the scale and timing of reconnaissance indicated strategic intelligence gathering to support China’s negotiation positions.