Three China-linked advanced persistent threat groups have actively engaged in cyberespionage in Southeast Asia in 2021, the U.S. cybersecurity company Recorded Future's Insikt Group detailed in a Dec. 8 research report. In the nine months preceding the report's publication, Insikt Group found more than 400 unique victim servers communicating with command-and-control (C2) infrastructure it assessed to be linked to Chinese APTs. A suspected Chinese APT that Insikt Group has temporarily labeled Threat Activity Group 16 (TAG-16), reportedly carried out an extensive campaign targeting top government and military offices in Indonesia, Malaysia, the Philippines, Thailand and Vietnam. In May 2021, Insikt Group said it observed a cluster of infrastructure using Cobalt Strike and other tools targeting telecommunications, government entities and state-owned enterprises in Laos. The research group is tracking the actor behind the activity, which it has labeled TAG-33, and points out that the campaign has heavily used Laos-themed C2 domains, such as LaoDailyLive.com and LaoDiplomat.com. This tactic has frequently been used in Laos by APT27 (a.k.a. Goblin Panda), one of China's most prolific and advanced threat actors, although any overlap between the two threat actors remains unclear. Finally, Insikt Group said it observed another cluster of activity it is tracking under the label TAG-34 targeting Cambodia's Ministry of Foreign Affairs and Sihanoukville Autonomous Port, Cambodia's only deep-water port, which is largely financed by Japan.
The campaigns appear connected to China's Belt and Road Initiative, providing three visible examples of Beijing pursuing strategic goals when carrying out cyberespionage in Southeast Asia. BRI is an expansive investment project spanning much of the globe, but focused heavily on developing infrastructure in Southeast, Central and South Asia. Telecommunications and port projects, which TAG-33 and TAG-34 respectively targeted, are critical parts of the BRI. Although China has close economic and political relationships with Cambodia and Laos, Beijing still has an interest in monitoring them, and will always be concerned about its rivals getting a greater foothold in either country. For instance, Japanese investment in the Sihanoukville port — and the potential broader investment opportunities that Japanese and other foreign companies may have — are all of interest to Beijing. Highlighting that Beijing also has regional political, not just economic, interests in mind when conducting cyberespionage, in the past Chinese APTs have also targeted Cambodian opposition figures and government officials for broader intelligence-collection efforts. This was seen in 2018, when U.S. cybersecurity firm FireEye documented such activity around Cambodian elections at the time.
As China's rivals put more resources into programs to counter the BRI, various entities involved in major projects in countries where China has a large BRI presence may find themselves — along with the host government and/or state-owned enterprises they are working with — at high risk of being targeted by Chinese APTs. The frequency of such attacks and intrusions will become a more significant issue as counter-BRI programs continue to develop. Attacks could affect government agencies, international financial institutions and/or a wide array of private companies. Adding to a growing list of similar programs launched by Japan, the United States and others, on Dec. 1 the European Union announced its "Global Gateway" strategy that aims to invest up to 300 billion euros (about $334 billion) between 2021 and 2027 globally in "sustainable links" around the world. Given the extensive resources China's APTs enjoy, there are few parts of the world where China will lack the resources to carry out cyberespionage against strategic targets. Even in Latin America, a location where China has fewer strategic interests than Southeast Asia, China's activity has surged. Microsoft documented in two Dec. 6 blog posts that APT threat actor Nickel (aka APT15 or Vixen Panda) launched an expansive campaign targeting governments, diplomatic entities and nongovernmental organizations in Central and South America, including relatively small countries like Barbados, Guatemala and Jamaica.
Aside from BRI-linked economic concerns, as China becomes more aggressive in protecting its claims in the South China Sea amid pushback from regional governments, Beijing's intelligence-collection efforts also will need to accelerate. Chinese threat actors targeting Southeast Asian militaries, coast guards and other entities that directly impact their governments' policies and actions in the South China Sea have been well-documented and persisted for years. TAG-16's campaign this year is just the latest example of the threat. But Chinese cyberespionage efforts regarding the South China Sea are likely to expand amid more concerted attempts by the British, French, U.S. and other countries' navies to challenge the legitimacy of China's claims by traveling through the Taiwan Strait and holding military drills in the South China Sea. These and other similar actions will reinforce Beijing's need for cyberespionage, particularly when these foreign countries are working with regional countries, expanding the array of potential targets.
Greater cyberespionage in Southeast Asia related to the South China Sea can accomplish several Chinese tactical and geopolitical objectives and will put more targets at risk. It can give China more advanced warning about potential naval maneuvers or exercises, allowing China to preempt them or pre-position its maritime assets. It could also give China advanced notice of potential policy changes by rival governments debating such changes. The persistent cyber threats can also act as a form of coercion against the targeted entities as other organs of the Chinese government, like the Ministry of Foreign Affairs, try to influence foreign governments. While most Chinese cyberespionage activity related to the South China Sea currently focuses on government entities, as competition increases, nongovernmental organizations that act as military contractors for regional navies or companies engaging in commercial activities in the South China Sea — like exploring for oil and natural gas off the coast of countries such as Indonesia, Malaysia and/or Vietnam — could all find themselves being targeted. Should tensions significantly increase, Chinese APTs could even attack entities unrelated to the South China Sea whose host governments are actively involved in territorial disputes with China as a form of either deterrence or retaliation for actions it views as hostile, thereby expanding the potential pool of victims.
