At the United Nations headquarters in Nairobi, Kenya, bands of marauding monkeys often climb over the towering fences and roam the acres of closely mowed grass. But this June, another type of uninvited guest entered the U.N. premises.
Equipment located thousands of miles away at Tsinghua University, in the heart of Beijing, China, began to probe the U.N. networks in Kenya, according to research by Recorded Future, a cybersecurity research firm. The researchers observed “network reconnaissance activities,” originating from the Tsinghua servers.
Chinese universities like Tsinghua, known as the MIT of China, are frequent hubs of hacking activity by the government, according to Recorded Future.
The U.N. seems to expect the aggressive cyber activity from China.
A spokesperson for the U.N. said they were not aware of the incident.
The research suggests the snooping was part of a wider effort by the Chinese on the African country.
“Africa is a huge fish for China,” Priscilla Moriuchi, director of strategic threat development at Recorded Future and former threat manager for East Asia and the Pacific at the NSA, told Fifth Domain. China has “invested billions on the continent and they have found a gap in terms of foreign influence. The countries desperately need infrastructure.”
Around the same time, Recorded Future says the Tsinghua servers began “aggressively scanning” a swath of Kenyan internet providers, telecommunications companies, government agencies and education networks.
Weeks before the activity, the Kenyan government rejected a free trade deal with the Chinese.
A spokesperson for the Chinese government did not respond to Fifth Domain’s inquiries.
The activity from Tsinghua appears to be part of a broader campaign by the Chinese government to mirror its aggressive cyber skills with its ambitious Belt and Road Initiative, according to Recorded Future. The Belt and Road Initiative is a trillion-dollar network of Chinese government infrastructure investments that span the globe. It is a centerpiece of the country’s global ambitions.
But the alleged state-based hacks are an example of unmentioned additions to trade deals. When the Chinese invest in foreign infrastructure as part of its Belt and Road campaign, experts say that Chinese cyberactivity will follow.
Cyber operations have always supported China’s foreign policy goals, Moriuchi told Fifth Domain. “If you take that map of the Belt and Road effort you will also find a pattern of cyber operations.”
In addition to the activity in Kenya, Recorded Future has recently seen the Tsinghua internet port scan government and commercial networks in Mongolia, Brazil, and Germany. All of the probing is thought to be linked to Chinese trade initiatives.
Cyber espionage related to the Belt and Road plan will likely drive “emerging nation-state cyber actors to use their capabilities,” said an August report by the research firm FireEye. “Regional governments along these trade routes will likely be key targets of various espionage campaigns.”
FireEye also lists Chinese cyberattacks connected to economic trade on Belarus, “multiple European foreign ministries,” the Maldives, Cambodia, an international human rights NGO and global maritime firms.
The FireEye report said that the Chinese hackers typically launch these cyberattacks by using simple phishing and malware attacks. Hacks on Belarus are one such example. A Chinese cyber unit targeted Belarussian national security organizations by leveraging “joint-military exercise-themed documents,” the firm says. One such malicious file was apparently named “The Belt and Road Forum in Beijing.”
Chinese hackers have also increasingly put U.S. defense contractors in their cross-hairs, experts and former government officials have told Fifth Domain. In 2018, China hacked a Navy contractor and stole “massive amounts of highly sensitive data related to undersea warfare,” the Washington Post reported Jun. 8.
China is one of four countries that are considered a top cyber threat to the United States, Josiah Dykstra, a technical expert at the National Security Agency said during the Black Hat conference in Las Vegas in August. China has been identified as conducting crippling cyberattacks on the U.S., including a hack on the Office of Personnel Management that stole sensitive details of more than 21 million federal employees. But Dykstra said that, recently, China’s cyber operations have “pulled back a little bit, they are a bit more tailored than they used to be, but still a very important nation for the United States.”
This post was updated to provide an accurate quote from a U.N. spokesperson.
Justin Lynch is the Associate Editor at Fifth Domain. He has written for the New Yorker, the Associated Press, Foreign Policy, the Atlantic, and others. Follow him on Twitter @just1nlynch.