Cyber Incident Victim: Public Ministry of the State of Amapá
Date:
Apr 2018
Location:
Brazil
Summary
Chinese state-sponsored actors conducted cyberespionage operations leveraging Tsinghua University infrastructure, targeting Brazil's Public Ministry of the State of Amapá with network reconnaissance scans to identify vulnerabilities. This activity coincided with China's Belt and Road Initiative investments in Brazilian infrastructure and mirrored broader campaigns against strategic entities in Alaska, Kenya, and Mongolia, aligning with Chinese geopolitical and economic objectives. The operations involved systematic probing of networks during periods of bilateral economic engagement, indicating intelligence-gathering efforts to advance state interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between April 2 and June 11, 2018, the Tsinghua University IP address 166.111.8[.]246 conducted repeated network reconnaissance attempts targeting the Public Ministry of the State of Amapá (Ministério Público do Estado Do Amapá) in Brazil. This activity was part of a broader campaign originating from infrastructure registered to Tsinghua University, a Chinese state-owned academic institution with documented ties to Chinese state-sponsored cyber operations. The reconnaissance involved systematic scanning of ports and networks to identify potential vulnerabilities, consistent with methods used for cyberespionage. These attempts coincided with China's announcement of a $520 million port construction project in Maranhão, Brazil, under its Belt and Road Initiative (BRI), following extensive Chinese investments in Amapá's education and energy sectors in 2016. The Tsinghua IP's activities aligned temporally with key developments in China-Brazil economic relations, including the initiation of construction by Beijing-based China Communications Construction Co. on the Maranhão port. No evidence indicated successful network breaches or malware deployment against the Public Ministry of Amapá, though the scale and persistence of scanning suggested deliberate intelligence-gathering objectives.
The targeting of the Brazilian entity occurred alongside similar network reconnaissance against government and commercial organizations in Alaska, Kenya, Mongolia, and Germany, all linked to China’s strategic economic interests. In Alaska, scanning activity intensified following trade discussions about energy infrastructure, while Kenyan targets were probed after Kenya declined a China-EAC free trade agreement. The Tsinghua IP also scanned German automotive firm Daimler AG within 24 hours of its profit warning citing U.S.-China trade tensions. Technical analysis revealed the IP functioned as an internet gateway or VPN endpoint with multiple open services, including HTTP, SSL, and VPN ports, and had a history of malicious activity flagged by third-party threat intelligence platforms. Metadata indicated the IP likely served as a proxy for hidden operational infrastructure. While the same Tsinghua IP attempted connections to a Tibetan network compromised by the "ext4" Linux backdoor, none succeeded due to incorrect TCP header configurations, leaving the relationship between the Tibetan targeting and broader reconnaissance unresolved. The collective activities demonstrated a pattern of state-aligned cyberespionage focused on entities engaged in economic dialogues or strategic projects relevant to China’s geopolitical objectives.