Cyber Incident Victim: Roshan
Date:
Jul 2020
Location:
Afghanistan
Summary
A major Afghan telecommunications provider was targeted by four distinct Chinese state-sponsored threat groups through coordinated mail server intrusions, leveraging Winnti and PlugX malware variants for persistent access. The activity involved strategic intelligence collection aligned with regional geopolitical shifts, including heightened data exfiltration coinciding with security transitions in Afghanistan. Multiple uncoordinated adversary clusters—RedFoxtrot, Calypso APT, and two unidentified groups—conducted parallel operations, reflecting China's broader interests in monitoring regional stability, protecting Belt and Road Initiative investments, and expanding influence over critical infrastructure sectors. The compromise enabled extensive surveillance capabilities over communications data and potential tracking of individual targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between July 2020 and September 2021, Roshan, a major Afghan telecommunications provider, experienced sustained cyberespionage intrusions targeting its mail server infrastructure. Insikt Group identified four distinct Chinese state-sponsored threat activity groups conducting separate but overlapping operations against the organization. The earliest activity, attributed to the Calypso APT group, persisted from at least July 2020 through September 2021 and involved the exploitation of Microsoft Exchange servers using the ProxyLogon vulnerability chain (CVE-2021-26855, CVE-2021-27065). A second confirmed group, RedFoxtrot—linked to Unit 69010 of China's People’s Liberation Army Strategic Support Force—targeted the same Roshan server from March to May 2021 using PlugX malware command-and-control infrastructure. Two additional clusters of activity were observed: an unidentified threat actor employing the Winnti backdoor from August to September 2021, and another unknown group using PlugX malware from April to August 2021. These intrusions demonstrated limited coordination despite shared state sponsorship, reflecting the decentralized nature of Chinese cyberespionage operations. Data exfiltration events peaked during August and September 2021, coinciding with the US military withdrawal from Afghanistan and the Taliban's resurgence.
Technical analysis revealed the compromised Roshan server communicated with multiple adversary-controlled servers, including the Calypso APT-associated domain www.membrig[.]com, RedFoxtrot's PlugX infrastructure, the Winnti cluster's C2 at 45.76.144[.]44, and the unidentified PlugX cluster's C2 at 45.86.162[.]135 hosted through Australia-based Crowncloud. The Winnti cluster exhibited particularly high data exfiltration volumes during its operational period. All groups leveraged malware families historically tied to Chinese cyberespionage, including PlugX variants used by both RedFoxtrot and the unidentified fourth cluster. The targeting aligned with China's strategic priorities in Afghanistan following the US withdrawal, including counterterrorism concerns near Xinjiang, protection of Belt and Road Initiative investments, and intelligence gathering on telecommunications infrastructure. No remediation actions by Roshan were detailed in available reporting. The incident highlighted telecommunications providers as high-value targets for Chinese state-sponsored collection due to their capacity to enable bulk communication monitoring, individual tracking, and strategic influence operations in geopolitically volatile regions.