Possible rise of Chinese cyber-espionage in Malaysia

• FireEye identifies a pattern of China-based threat groups attempting to gather intelligence
• Similar activities already observed in the run-up to the recent Cambodia elections

MALAYSIA is possibly facing a wave of increased cyber-espionage due to changes in government policies relating to the Belt and Road initiative.

"The recent elections (in Malaysia) that caused the reassessment of projects related to the Belt and Road  initiative are actually a driver for what we believe will be a heightened risk of cyber-activity," said Sandra Joyce (pic), FireEye vice president and Head of Global Intelligence Operations.

"Malaysia is looking more and more like a typical target of Chinese-sponsored activity," she continued, clarifying by "Chinese-sponsored", she meant “state-sponsored”.

"I would say any organisation that has a contract, policy or some type of Belt and Road-related initiatives should consider themselves at heightened risk from cyber-attackers," continued Joyce. "The East Coast Rail Link (ECRL) initiative in particular would be a major interest."

FireEye have identified in other countries a pattern of China-based threat groups attempting to gather intelligence from organisations linked to the Belt and Road initiative.

"We are seeing China, for example, sending spear phishing emails compromising organisations that have to do with Belt and Road initiatives," continued Joyce.

(Spear phishing is a customised form of phishing where an attacker attempts to obtain confidential or sensitive data by posing as a trustworthy source, specifically using a customised identity selected with the specific target in mind.)

This alert is given despite there being no detected increase of attacks in Malaysia at the moment. "If you wait until it happens, it's too late," stressed Joyce.

Compelling evidence

Joyce further explained that this cyber-espionage seemed to have gone hand-in-hand with the development of the Belt and Road initiative. "You notice trillions of dollars of investment that China's putting in the geopolitical landscape has to do with motivating cyber-activity."

Joyce can further pinpoint one threat group as being the potential culprit.  "We have seen this TEMP.Periscope group (and) we've been tracking it since 2013."

Joyce feels there is enough forensic evidence that points to China.

"One of them is that the three open index servers that we saw had related malware called AIRBREAK (a JavaScript-based backdoor) that we have seen Chinese groups use," said Joyce.

Other evidence include the IP addresses being used, the keyboard settings set to the Chinese language, and infrastructure that had been previously used by other Chinese groups. 

Taken into context with other evidence, it becomes compelling. "We look at that (against) the backdrop of the Belt and Road initiative and the investments that are being made, the spear phishing emails that are being sent, and we have a pretty clear picture coming together," concluded Joyce.

Cambodia elections targeted

Joyce highlighted TEMP.Periscope's activities during the recent Cambodian elections as warning. According to her, the group had compromised ministries and government organisations in order to understand the political environment in the country.

"We believe that China is very interested in the election activity of Cambodia because of the major investments that China has been making in there related to the Belt and Road initiative."

Nevertheless, there was no evidence seen of any attempt to affect the outcome of the election. "What we saw as an intent to gain information about the Election Commission, the daughter of an opposition candidate who's imprisoned, various individuals and organisations that are in a position to influence the election."

"At the end of the day the power shifts that are occurring are of interest to  countries who are conducting espionage," concluded Joyce, adding that it is also believed that TEMP.Periscope was doing something similar during the Hong Kong elections, and that a group called Roaming Tiger was monitoring Belarus, not surprising given the investment China has made in the Baltic nation.

Apart from China, Joyce indicated that threats to Malaysia may also come from other sources. 

"There are emerging threat actors in Asia that continue to show their willingness to engage in this type of activity," she warned, citing Vietnam as an example.

Related Stories:

Potential for Asean to ride on China’s Belt and Road Initiative

Cyber-security threats to cost Malaysian organisations US$12.2bil in economic losses

SEA at risk as disputes turn to cyberwar: FireEye

For more technology news and the latest updates, follow us on Facebook, Twitter or LinkedIn