Suspected Chinese spies cover tracks in efforts to breach Vietnamese government

Written by

A previously undocumented group of Chinese-speaking spies conducted a months-long campaign to infect the computers of government agencies in Vietnam and other Asian countries, researchers from the antivirus firm Kaspersky said Monday.

The findings point to how alleged Chinese hacking groups overlap —  and may collaborate — in their longstanding efforts to infiltrate the Southeast Asian governments with which China quarrels over territory.

For example, the hackers’ techniques bear some similarities to that of a Chinese-speaking group called Cycldek that has been around eight years. But they’re also notably more advanced than Cycldek, leaving the Kaspersky researchers struggling to trace the specific origins of the group. The attackers executed code capable of taking full control of target computers, but they also stripped the code of digital clues that would make them easier to track.

“One hypothesis we have is that one or several former Cycldek operators could have joined another team,” Ivan Kwiatkowski, a senior Kaspersky researcher, said in an email. “It might also be two groups from the Chinese-speaking nebulae merging together, or even a whole new one benefitting from existing tooling.”

But these are merely theories that underscore how private sector researchers are dealing with fragments when trying to hunt seemingly state-linked spies.

The goal of the operation, which lasted at least from June 2020 to January 2021, appeared to be to gather “political intelligence,” Kwiatkowski said. Kaspersky did not identify the specific targets of the hacking activity.

The Vietnamese government appears to be at least partially aware of some of Cycldek’s recent work. Vietnamese government agencies have released two security advisories that mentioned malicious documents used by the group, as Joe Slowik, a senior security researcher at Domain Tools, pointed out.

Chinese hackers have plenty of reasons to spy on Vietnam. The two countries have a sometimes-tense relationship that has been marked by territorial disputes in the South China Sea. Security firm Anomali said last year that another group of China-linked hackers had tried to break into a Vietnamese government data center.

It’s not all one-way traffic in cyberspace between China and Vietnam, however.

Alleged Vietnamese spies tried to breach a government organization in Wuhan, China, last year in an apparent effort to monitor Beijing’s response to the coronavirus.

It is unclear how successful the latest suspected Chinese hacking campaign in Vietnam was. Kwiatkowski said his firm blocked the malicious tools that they detected.

In addition to Vietnam, security researchers have in recent years uncovered suspected Chinese hacking operations targeting Cambodia, Malaysia and the Philippines as Beijing projects power in the region.

The Chinese government regularly denies any involvement in offensive cyber-operations.