Cyber Incident Victim: Association of Southeast Asian Nations
Date:
Feb 2022
Location:
Malaysia
Summary
Chinese-linked hackers compromised the Association of Southeast Asian Nations' mail servers using valid credentials and exploited Microsoft Exchange vulnerabilities, stealing gigabytes of emails and sensitive correspondence impacting all member states. The breach, attributed to state-sponsored actors seeking political and economic intelligence, marked the third known compromise of the organization since 2019, following prior intrusions involving ShadowPad and PlugX malware. The incident aligns with broader regional cyberespionage campaigns targeting Southeast Asian governments and military entities, reflecting strategic efforts to gather intelligence on geopolitical issues and infrastructure projects tied to China's Belt and Road Initiative.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2022, Chinese state-sponsored threat actors compromised mail servers operated by the Association of Southeast Asian Nations (ASEAN), exfiltrating over 10,000 emails totaling more than 30 gigabytes of data. The attackers used valid credentials to breach Microsoft Exchange servers associated with the mail.asean.org and auto.discover.asean.org domains, exploiting four known vulnerabilities that Microsoft had initially disclosed in March 2021. These vulnerabilities were previously linked to Hafnium, a Chinese hacking group responsible for widespread attacks on Exchange servers in 2021. The cyberespionage operation involved daily data theft over an unspecified period, impacting all ten ASEAN member nations due to the compromise of diplomatic correspondence. A cybersecurity alert circulated to ASEAN governments indicated this marked the third known compromise of ASEAN systems since 2019, following a July 2021 intrusion using ShadowPad malware and a May-October 2019 campaign that deployed PlugX malware to steal over 100 documents. The stolen data included sensitive communications between member states regarding regional policies, economic integration plans, and geopolitical discussions.
The incident's discovery prompted cybersecurity agencies across ASEAN nations to issue advisories recommending credential resets, monitoring for unauthorized remote email collection, and patching of vulnerable Exchange servers. CyberSecurity Malaysia confirmed receiving the alert in 2022 and notifying domestic officials, while other member states declined public comment. The breach occurred weeks before a landmark May 2022 White House summit with ASEAN leaders, where regional security concerns involving China were discussed. Historical context indicates Chinese-linked groups consistently targeted Southeast Asian governments, with Recorded Future documenting 400 compromised regional servers in 2021 and a 20% year-over-year increase in China-linked attacks during late 2022. Primary targets included entities involved in South China Sea disputes and Belt and Road Initiative projects. The stolen ASEAN communications provided insights into regional political alignments and negotiation strategies, with analysts noting the data's value in advancing China's intelligence requirements regarding US diplomatic engagements in Southeast Asia. No public attribution statements or retaliatory measures from affected nations were reported following the incident.