China’s Belt and Road project (BRI) is a driver of regional cyber threat activity

Pierluigi Paganini August 19, 2018

Security experts have observed increasing cyber espionage activity related to China’s Belt and Road Initiative (BRI).

The alarm was launched by the experts from cybersecurity firms FireEye and Recorded Future.

China’s Belt and Road Initiative (BRI) is a development project for the building of an infrastructure connecting countries in Southeast Asia, Central Asia, the Middle East, Europe, and Africa.

For this reason, the project is considered strategic for almost any intelligence Agency.

FireEye defined it as a “driver of regional cyber threat activity”, experts warn of a spike in espionage operations aimed at gathering info in the project.

Cyber spies are already targeting organizations from various sectors that are involved in the project.

“Cyber espionage activity related to the initiative will likely include the emergence of new groups and nation-state actors. Given the range of geopolitical interests affected by this endeavor, it may be a driver of emerging nation-state cyber actors to use their capabilities,” reads a report published by FireEye.

FireEye uncovered an espionage campaign carried out by the China-linked APT group dubbed Roaming Tiger.

The Roaming Tiger campaign was discovered by experts at ESET in 2014, in December 2015 experts uncovered a cyber espionage campaign aimed at Russian organizations.

The APT group targeted entities in Belarus using specially crafted documents that referenced the Chinese infrastructure project as a bait.

FireEye observed the use of several malicious codes against organizations involved in the BRI project.

Chinese hackers used the TOYSNAKE backdoor to target several European foreign ministries. According to FireEye, another malware tracked as BANECHANT was used to target Maldives, a strategic center for financial investments related to BRI, meanwhile the LITRECOLA malware was used in attacks against Cambodia and the SAFERSING malware was involved in campaigns against international NGOs.

Experts also mentioned the recent attacks powered by the TEMP.Periscope group on the maritime industry.

“We expect BRI will also highlight the capabilities of emerging cyber actors across Asia and the Middle East and under what norms such nation-states sponsors will employ their capabilities,” FireEye said in its report. “Prior FireEye iSIGHT Intelligence reporting has noted that rising regional cyber actors, such as Vietnam, have been willing to employ their espionage capabilities against foreign corporations conducting business inside their borders. Similarly, there may be a willingness for other nation-state actors to aggressively target private sector organizations contributing to BRI.”

Researchers at Recorded Future also reported several attacks originating from China, precisely from the Tsinghua University.

The hackers targeted Tibetan community and many governments and private sector organizations worldwide.

The attacks launched from the Tsinghua University targeted Mongolia, Kenya, and Brazil, that “are key investment destinations as part of China’s Belt and Road Initiative.”

“During the course of our research, we also observed the Tsinghua IP scan ports and probe government departments and commercial entities networks in Mongolia, Kenya, and Brazil. Each of these countries are key investment destinations as part of China’s Belt and Road Initiative.” states the report published by Recorded Future.

“We assess with medium confidence that the consistent reconnaissance activity observed from the Tsinghua IP probing networks in Kenya, Brazil, and Mongolia aligns closely with the BRI economic development goals, demonstrating that the threat actor using this IP is engaged in cyberespionage on behalf of the Chinese state,” 


The appendix in the PDF report published by Recorded Future includes a full list of the associated indicators of compromise.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – China’s Belt and Road Initiative project, cyberespionage)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment