Chinese hackers controlled Kazakh critical IT Infra facilities for 2 years

Kazakhstan’s National Computer Emergency Response Team (Cert.kz), has announced that a group of Chinese hackers had access to the infrastructure of Kazakhstani telecommunication operators for two years. In February 2024, unknown persons published secret data leaked from iSoon (aka Anxun), one of the contractors of the Ministry of Public Security (MPS) of China, on GitHub. It is reported that iSoon is associated with Chengdu 404, a structure controlled by Chinese cyber intelligence known as APT41, claims  Cert.kz. According to this data, at least one Chinese hacker group had full access to the critical infrastructure of Kazakhstani telecommunication operators in the past two years. As the New York Times informs, the leaked documents, a portion of the hacking tools and data caches sold by the Chinese security firm, is part of a campaign to break into the websites of foreign governments and telecommunications firms.

iSoon is one of the hundreds of enterprising companies that support China’s aggressive state-sponsored worldwide hacking efforts. There will obviously is plenty more on GitHub, but presently Kazakhstan appears to have been of particular interest to Chinese intelligence services. The materials, which were posted to GitHub website recently, reveal an eight-year effort to target databases and tap communications Kyrgyzstan, Mongolia, Pakistan, Malaysia, Nepal, Turkey, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hong Kong, Indonesia, Vietnam, Myanma, the Philippines and Afghanistan. The files also showed a campaign to monitor activities of ethnic minorities in China and online gambling companies. The Kazakh Digital Development, Innovation and Aerospace Industry Ministry said in a statement on 20 February 2024 that it has, together with the National Security Committee, (KNB), begun analyzing the leaked information to learn more.

The attackers targeted both general information, such as databases, and point information of specific individuals,  Ulysmedia.kz reports. The leak sheds light on the forms and methods of Chinese intelligence, using software, Trojans for Windows, Mac, iOS and Android, DDoS services, systems for de-anonymizing social network users, Wi-Fi hacking equipment and much more. Analysis shows that the volume of stolen information is quite immense and in some cases is in terabytes.  The Chinese APT41 group has been sitting in Kazakh infrastructure for about two years, and this is just the tip of the iceberg. No one knows how many undetected hacks and leaks of data occurred. All this is the result of unsystematic actions and the priority of departmental interests over the interests of the state. Kazakhstan needs a separate independent body outside the government responsible for cybersecurity – the Cybersecurity Agency,” the publication says.

It is assumed that attackers can attack Android and iOS devices and obtain any information. The documents report data leaks from Kazakh telecom operators such as Beeline, Kcell and Tele2 as seen below. The documents also contain references to Kazakh Telecom and UAPF. Kazakhstan have promised to conduct unscheduled inspections in the relevant organizations to ensure compliance with the requirements of the legislation of the Republic of Kazakhstan on personal data and their protection, as well as information security. There is information in the translation of one of the files in the leak which details targeted companies and the amount of data that was stolen: (i) telecom.kz – 257gb – (2021.05) – Main fields of the sample: name, email address, postal address, mobile phone number, registration data, etc.; (ii) beeline.kz – 637gb – (2019-2020) – The intranet is under control and call list data can be checked; (iii) kcell.kz – 820gb – (2019-2021) – Full control over the intranet, file server, anti-virus server can provide real-time request for call lists and request information about users, and finally; (iv) tele2.kz – 1.09tb – (2019-2020) – Full control over the intranet, file server, anti-virus server provides real-time request for call lists, positioning and request for user information.

One of the screenshots reportedly contains information on the mail server of the Kazakh Ministry of Defence. There are also files that include data about the Kazakh state-owned airline, Air Astana. The data leaks also mention that in the year 2019, perpetrators stole 1.92 gigabytes of data from the Unified Accumulative Pension Fund of Kazakhstan. After examination of phone numbers through different leaks and GetContact, Cert’s experts found out that personnel of security agencies were also targeted. Analysis reveals that the attackers were interested in both general information such as databases and more specific information related to individuals. In particular, the hackers looked for calls made by certain individuals, what they spoke and their places of travel. Data analysis showed that hackers stole terabytes of information, Cert.kz said in a statement.

Hackers controlled event logs of the operators; they even knew the duration of calls, IMEI codes of mobile devices and billing data of calls. The hackers reportedly monitored operator event logs, call duration, device IMEI (International Mobile Equipment Identity) and call billing. In addition, IDNET and IDTV user data with personal data of subscribers, their logins and passwords have been published. In December 2023, Kazakhstan’s President Kassym-Jomart Tokayev signed a law regulating the institution of white hat hackers (ethical hackers) as the government wanted these “good” hackers to identify security vulnerabilities in national information systems.

In January this year, the Ministry of Digital Development, Innovations and Aerospace Industry published a draft regulation for interaction with IT researchers also known as “white hat hackers”. According to the new rules, white hat hackers can participate in searching for vulnerabilities that can cause data leaks after obtaining a special token. Any attack on eGov.kz without a token would be considered unauthorized. In September 2023, some Kazakhstani media outlets reported that perpetrators used Venom RAT, a special software imitating NCAlayer, a public service for signing digital documents. As a result, criminals could get access to confidential information. 

The volume and nature of the data indicates systemic errors in the information security system in Kazakhstan. Available leak materials indicate that at least one hacker group had full access to the critical infrastructure of Kazakhstani telecom operators for more than two years. There is incomplete amount of information at the disposal of Kazakh authorities on the volume of data stolen. The Kazakh data base leak is an important example of the vulnerability of such systems in nations where China is active. Even otherwise, China remains engaged in a constant effort to hack into the computer systems of most countries. The privatization of this effort reflects China’s effort to improve deniability. The GitHub treasure trove will undoubtedly throw up many more such cases, Kazakhstan appears to have been one of the primary targets. (The Hong Kong Post)