Cyber Incident Victim: United Nations Office in Nairobi
Date:
May 2018
Location:
Kenya
Summary
The United Nations Office in Nairobi was targeted in network reconnaissance activities originating from Tsinghua University infrastructure, specifically IP 166.111.8[.]246, as part of broader Chinese state-sponsored cyberespionage operations aligned with China's Belt and Road Initiative economic objectives. The activities involved scanning ports 22, 53, 80, 389, and 443 to identify vulnerabilities, coinciding with Kenya's reconsideration of a China-East African Community trade agreement. This reconnaissance campaign also affected other geopolitical entities including Alaskan state agencies, Brazilian infrastructure organizations, and German automotive firms, demonstrating systematic efforts to gather intelligence supporting China's strategic interests.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between May and June 2018, Recorded Future's Insikt Group identified network reconnaissance activities originating from IP address 166.111.8[.]246, registered to Tsinghua University in China, targeting multiple geopolitical entities including the United Nations Office in Nairobi. This activity occurred within a broader pattern of scanning directed at organizations in Kenya, Brazil, Mongolia, Alaska, and Germany, coinciding with periods of economic dialogue or strategic developments relevant to China's Belt and Road Initiative (BRI). The Tsinghua IP conducted aggressive port scanning against Kenyan infrastructure in early June 2018, specifically probing the United Nations Office in Nairobi alongside Kenya Ports Authority, Strathmore University, and national education networks. This surge followed Kenya's late May 2018 announcement rejecting a proposed free trade agreement with China under the East African Community framework. Scanning focused on ports 22, 53, 80, 389, and 443, consistent with reconnaissance tactics to identify vulnerabilities in web servers, DNS, SSH, and LDAP services.
The incident stemmed from analysis of a novel Linux backdoor called "ext4" discovered on a Tibetan community's CentOS web server, which revealed connection attempts from the Tsinghua IP. While 23 connection attempts to the Tibetan server occurred between May and June 2018, none successfully activated the "ext4" backdoor due to incorrect TCP header configurations. Broader network metadata showed the Tsinghua IP simultaneously conducting reconnaissance against BRI-related targets, including over one million connections to Alaskan entities during trade negotiations and scans against Daimler AG following its China-related profit warning. No malware was confirmed on the UN Nairobi systems, but the consistent timing of scans with diplomatic developments indicated strategic alignment with Chinese state economic objectives. The IP had historical ties to Chinese state-sponsored operations through Tsinghua University's affiliations with national cybersecurity programs and state-owned enterprises like CITIC Group, previously implicated in technology theft. Defensive measures included recommending network monitoring for the Tsinghua IP and scanning Linux systems for "ext4" artifacts, though no direct remediation actions by victim organizations were documented in the analysis.