IN MAY 2022, Joe Biden was on a charm offensive. The US president invited the leaders of 10 Southeast Asian nations to the White House for the first time for talks about the region, which is home to more than 600 million people. High on the agenda was China—a key trading partner for all the countries, but also a potential threat to their stability. Biden promised $150 million in extra support for the nations to help improve their security, infrastructure, and ongoing pandemic response.
However, in the weeks leading up to the meeting, according to a cybersecurity alert seen by WIRED, hackers working on behalf of China were stealing thousands of emails and sensitive details from the Southeast Asian nations. The cyberespionage, which has not been previously reported, is the latest in a string of incidents where Chinese-linked hackers have quietly compromised neighboring countries, looking to gain political and economic information.
According to the cybersecurity alert, Chinese-linked hackers were able to break into mail servers operated by the Association of Southeast Asian Nations (ASEAN) in February 2022 and steal a trove of data. The ASEAN organization is an intergovernmental body made up of 10 Southeast Asian countries, including Singapore, Malaysia, and Thailand. This was the third time the organization has been compromised since 2019, the document says.
The hackers were able to steal “gigabytes” of emails sent by ASEAN countries, and the data was stolen “daily,” according to the cybersecurity alert. It’s believed that the attackers stole more than 10,000 emails, making up more than 30 GB of data. The incident “impacts all ASEAN members due to correspondence that was compromised,” the alert says. The notification was sent to cybersecurity agencies, foreign affairs ministries, and other governmental organizations in all 10 of the ASEAN member countries.
Haji Amirudin Abdul Wahab, the CEO of CyberSecurity Malaysia, an agency under the country’s Ministry of Science, Technology, and Innovation, says it received the alert in 2022, notified officials within the country, and generally condemns hacking. Other nations impacted declined to comment or did not respond to WIRED’s request for comment. The ASEAN group itself did not respond to repeated requests for comment.
China’s embassy in the US did not immediately respond to a request for comment.
“ASEAN is really important as the key regional grouping, not just in Southeast Asia but beyond,” says Susannah Patton, director of the Southeast Asia Program at Australian think tank the Lowy Institute. Patton explains that ASEAN helps coordinate Southeast Asian policies across a number of different areas. “Even beyond Southeast Asia, ASEAN has an important role because it convenes or organizes other big regional summits,” Patton says. As a result, the data it holds could be useful for understanding political feelings in the region.
ASEAN helps to “amplify” the voices of the 10 member countries that are involved in it, says Scot Marciel, an Oksenberg-Rohlen Fellow at Stanford University and former US ambassador to Indonesia and Myanmar. The group holds both formal meetings and informal conversations, Marciel says, and will discuss everything from economic integration and infrastructure plans to trade negotiations and geopolitics. “That would all be stuff that I would think Beijing would be interested in,” Marciel says.
The cybersecurity alert seen by WIRED says that to steal emails from ASEAN, Chinese threat actors used “valid credentials” to compromise mail servers linked to the group. These Microsoft Exchange servers used the mail.asean.org and auto.discover.asean.org domains. The document also lists four Microsoft Exchange server vulnerabilities that were abused by those behind the hack. Microsoft first published details of the vulnerabilities in March 2021 and linked their use to Chinese threat actor Hafnium, which attacked tens of thousands of mail servers at the time.
The cybersecurity alert advised member countries to reset credentials, monitor remote email collection from unknown locations, and defend against the vulnerabilities. It also notes that this isn’t the first time Chinese threat actors have compromised ASEAN. In July 2021, the alert says, the ShadowPad malware was used to compromise the organization. Meanwhile, between May and October 2019, Chinese attackers used the PlugX malware to steal more than 100 ASEAN-related documents.
ShadowPad and PlugX are both remote-access tools that are commonly used by Chinese-linked hackers, says Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant. They operate as backdoors and allow hackers to take control of someone’s machine, including uploading and downloading files and moving through someone’s network. “PlugX has been the workhorse of Chinese cyberespionage for the past decade,” Read says.
Hacking Spree
For all countries across Southeast Asia, China is a crucial partner. The nation is the biggest power in the region, and trade between the countries is crucial to many of their economies. “China wants to build closer ties with these countries,” says Olivia Cheung, a research fellow at the China Institute at SOAS University of London. Chinese president Xi Jinping has talked of building a “community of common destiny” with ASEAN countries.
Despite this, the playing field won’t be leveled. China has spent billions on infrastructure and manufacturing across Southeast Asia—particularly through the Belt and Road Initiative, an infrastructure investment project that helps give China political and economical power. As a result, there are many tensions between the neighbors, including around the South China Sea. “Efforts to deepen positive relations are quite often offset by the Chinese government’s approach to securitize everything,” Cheung says.
China’s state-sponsored hackers are incredibly active in the area, multiple cybersecurity experts say. “The region holds vital strategic importance, due to its geographical location and its growing economic importance,” says Che Chang, a cyber-threat analyst at Taiwan-based cybersecurity firm TeamT5. Che says that in recent years government and military units in Southeast Asian countries have been a common target for China’s hackers. In the second half of 2022, there was a 20 percent increase in China-linked cyberattacks against Southeast Asian countries, compared with the same time in 2021, he says.
Security firm Recorded Future has tracked 10 Chinese-linked groups attacking Southeast Asian countries in the past two years—primarily government and military organizations. Throughout 2021, Recorded Future detected 400 servers in Southeast Asia that were communicating with malware infrastructure likely linked to Chinese state-sponsored actors, a report from the firm says. Malaysia, Indonesia, and Vietnam were targeted the most.
“The identified intrusion campaigns almost certainly support key strategic aims of the Chinese government, such as gathering intelligence on countries engaged in South China Sea territorial disputes or related to projects and countries strategically important to the Belt and Road Initiative,” the report says.
China’s state-sponsored hackers are considered some of the most sophisticated and capable in the world. Since the Ministry of State Security, the country’s civilian intelligence agency, largely took over cyber operations in 2015, it has been more aggressive in its hacking. Mandiant’s Read says that Chinese threat actors often share hacking tools, such as PlugX and Shadowpad, across different hacking groups.
Within Southeast Asia, Read says, it’s common for attacks to involve spearfishing. “It’s a little bit less cutting edge than we see operating in other places,” Read says. But it can still get results. Read cites one phishing email sent to multiple Southeast Asian countries named 2021ASEANcontactlistupdate.doc. “The amount of cyber intrusions are driven by intelligence requirements—somebody in Beijing saying, ‘We need to know more about this because it’s important,’” Read says.