Chinese espionage campaigns and cyberattacks on critical infrastructure in Southeast Asia

By Sylvie Truong, The Readable
Feb. 22, 2024 10:05PM GMT+9

In early 2024, several member states of the Association of Southeast Asian Nations (ASEAN) were targeted in cyberattacks linked to China-backed threat actors. These incidents encompassed espionage campaigns directed at government agencies and cyberattacks on vital infrastructure, orchestrated by Chinese entities.

While both cyber espionage campaigns and cyberattacks on critical infrastructure pose significant threats to national security, state sovereignty, and public safety, their objectives and potential impacts differ. Cyber espionage campaigns primarily target government entities or corporations with the goal of intelligence gathering, reconnaissance, and surveillance. In contrast, cyberattacks on critical infrastructure are designed to disrupt or disable essential services and systems, such as drinking water supplies, transportation networks, and communication systems. Such attacks can lead to immediate and widespread chaos, significantly endangering public safety.

Chinese espionage campaigns in Southeast Asia

In January, Vietnam publicly named a number of Chinese advanced persistent threat (APT) groups as sources of cyber espionage, highlighting the increasing concerns over cybersecurity in the region.  APTs are sophisticated threat actors often backed by nation-states or state-sponsored entities. The specific China-backed groups identified by Vietnam include APT31, APT41, Grayling, Mustang Panda, and SharpPanda. Vietnam observed a significant surge in espionage-related cyberattacks, with a 55% increase in 2023 compared to the prior year. These attacks targeted more than 280,000 computers across various government agencies, which is indicative of the scale and intensity of China’s cyber espionage efforts.

In February, the Philippine government convened an emergency briefing to address a series of cyberattacks targeting their government agencies, which were allegedly perpetrated by Chinese hackers. Among the affected entities were the office of the Philippine Cabinet Secretary, the Department of Justice, the National Coast Watch System, the Philippine Coast Guard, the Department of Information and Communications Technology, and the personal website of President Ferdinand Marcos Jr. Philippine officials were able to trace several Internet Protocol (IP) addresses back to China, implicating Chinese hackers in the attacks.

Furthermore, evidence of Chinese espionage campaigns has been detected in other ASEAN countries, notably Malaysia and Myanmar. Reports also indicate that Laos, Thailand, Indonesia, and Cambodia have been targets of cyber operations attributed to China.

Cyberattacks on critical infrastructure in Asia

Recent findings from Unit 42, the threat intelligence division of cybersecurity firm Palo Alto Networks, suggests that Chinese hackers infiltrated more than 20 Cambodian government agencies, including sectors of critical infrastructure such as telecommunications. In a separate investigation conducted in 2023, the Threat Hunter Team at Symantec disclosed that a threat actor group known as Redfly compromised the national power grid of an unspecified Asian country. Redfly utilized ShadowPad, a malware application frequently linked to China-supported cyber espionage groups. While the exact nation affected was not identified, this incident serves as a significant caution to ASEAN member states about the vulnerabilities of their critical infrastructure. Symantec has warned that Redfly seems to focus exclusively on organizations associated with critical infrastructure.

Initiating protocols for defensive measures

In light of the potential chaos that espionage campaigns and cyberattacks on critical infrastructure can unleash, the development of defensive strategies to prevent further disruptions to public safety is essential. For instance, Singapore is undergoing  Exercise SG Ready, from February 15 to February 29, marking its inaugural implementation. This nationwide initiative is designed to improve the crisis and cyber disruption preparedness of Singaporean citizens. It includes simulations of various threats such as disinformation campaigns, drone attacks, and cyberattacks aimed at vital sectors, including power, water, food distribution, and digital networks.

While the outcomes of Exercise SG Ready are yet to be determined, as it is still in progress, this initiative stands as a significant proactive measure that merits close attention. In the face of the continuously evolving landscape of cyber threats, participation in exercises like SG Ready can enable nations to uphold a stance of proactive vigilance.

In conclusion, it is imperative for ASEAN member states to prioritize the enhancement of their defensive cyber capabilities to safeguard their critical infrastructure and national security. By promoting public awareness and enhancing regional collaboration, ASEAN can establish a more robust security infrastructure to better ensure the safety and security of its citizens.

The cover image of this article was designed by Areum Hwang. This article was reviewed by Dain Oh and copyedited by Arthur Gregory Willers.

Sylvie Truong is a regular contributor to The Readable. Her interest in cybersecurity began in 2015, while working as a biomedical research assistant at Columbia University’s Irving Medical Center. She worked in the Molecular Imaging and Neuropathology Division, analyzing data using various software programs. Due to her experience there, she developed an interest in cybersecurity and implementing better practices to protect personal data, valuable research information, and more. Sylvie holds a master’s degree in neuroscience and education from Columbia University.