Just as the US was completing its withdrawal from Afghanistan, several China-linked cyberespionage groups were seen intensifying attacks on a major telecom corporation. Recorded Future, a threat intelligence firm, reported on Tuesday that it has witnessed four different Chinese threat groups target a mail server belonging to Roshan, a large telecom provider in Afghanistan with over 6.5 million subscribers.
According to Doug Madory, Director of Internet Analysis at Kentik and a veteran observer of worldwide traffic trends, “Roshan is one of the largest suppliers of Internet access to the people of Afghanistan” and a major source of online traffic in and out of the nation.
Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers were unable to link to other known actors, carried out the attacks. The researchers believe it's not unusual for Chinese hackers to target the same Roshan mail server because they often have diverse intelligence requirements and don't coordinate their actions.
Some of the groups had been able to access the mail server for months, but the attacks seemed to pick up steam in August and September, just as US forces were leaving Afghanistan. During this time, the researchers noted an uptick in data exfiltration activity.
Roshan was told of the compromises by Recorded Future before Insikt Group made the assaults public. A Chinese Embassy spokesperson described pinpointing the source of cyber assaults as a "difficult technological problem" in an email sent after the report was posted.
“Linking cyber-attacks directly to one certain government is a highly sensitive political issue. China hopes that relevant parties will adopt a professional and responsible attitude,” the statement said. “Qualitativing cyber incidents must be based on sufficient evidence instead of groundless speculation,” the spokesperson wrote.
The first activity linked to Roshan, according to the experts, was tied to the suspected Chinese state-sponsored group Calypso Advanced Persistent Threat (APT). That infiltration appears to have started in July 2020 and continued through September 2021, with a spike in activity in August and September of this year.
From at least March through May of this year, the researchers discovered the same Roshan mail server connecting with the infrastructure of another known suspected Chinese APT group, RedFoxtrot.
According to an Insikt report published Tuesday, RedFoxtrot also appeared to have infiltrated another undisclosed Afghan cellular operator during this time. RedFoxtrot was previously identified as targeting unnamed telecommunications firms in Afghanistan, India, Pakistan, and Kazakhstan, according to a study published by the research team in June. The RedFoxtrot was also linked to Unit 69010 of the People's Liberation Army in Ürümqi, Xinjiang, according to the study.