When researchers at Recorded Future found evidence of Chinese surveillance of networks in Alaska — they weren’t exactly looking for it.
Instead, the companies’ data scientists, intelligence analysts and engineers were trying to figure out what a compromised network in Tibet was being used for.
“Well that kind of led us down sort of this other rabbit hole that takes us to the rest of the report which is what we see as malicious activity that’s coming from this university in China, Tsinghua, which is essentially the equivalent of China like MIT, you could say,” Priscilla Moriuchi said. She’s the Director of Strategic Threat Development and supervises the team at Recorded Future that put out a report on the surveillance.
The report details evidence that computers at Tsinghua University in Beijing were being used to gather information on networks in Kenya, Brazil, Mongolia and Alaska.
In Alaska, the report documents over one million connections between the Chinese university and several networks in the state including the Alaska Communications Systems Group, or ACS, the Alaska Department of Natural Resources and the State of Alaska Government.
There’s no evidence that any of those connections successfully penetrated a network in Alaska — no evidence of a successful hack.
When reports of the scanning activity were made public, a spokesperson from Governor Bill Walker’s office said it was routine anonymous activity. Basically, someone checking to see if the doors are locked on Alaska’s networks.
“There are computers and networks that literally do only one thing and that is scan every single person’s computer that’s connected to the Internet looking for vulnerabilities. That’s, sort of, one type of scanning which is like … checking to see if the doors are locked,” Moriuchi said. “This is a much different type of scanning. We would actually refer to it more like reconnaissance which is this type of scanning that is very targeted… so it’s a bit more than just checking to see if the front door is locked, right? It’s like knocking on all the windows, looking at your security system, poking around in the sand around your house… also doing it while you’re not home and they know you’re not going to be home.”
Moriuchi says the scanning was very targeted and pointed at a specific number of ports in Alaska networks that are exploitable.
“So, it’s highly focused, very, very high volume, extensive and very peculiar,” Moriuchi said. “Tailored right to these Alaskan network vulnerabilities that the Chinese actors were looking for.”
Walker’s administration is also doubling down on the idea that those scans may not have come from China.
When reached via text on Friday, Walker’s press secretary Austin Baird wrote that no one from the state’s office of information technology was available to talk about the issue and that Walker’s administration still does not believe that the surveillance came from China.
Moriuchi and other cyber-security experts are questioning the wisdom of ignoring signs that someone in China is attempting to spy on Alaska.
Moriuchi said there’s no question that the scanning came from the Chinese university. What isn’t clear, she said, is whether it came from university students or, at the behest of the Chinese government.
“People will say that ‘university students do all kinds of things on the university networks.’ And you know, ‘how is it possible that you could suspect that this would be a Chinese kind of state-sponsored activity,’” Moriuchi said.
Moriuchi says the timing of the scans — between April 6 and June 24 – indicates that Alaska was targeted before and after Walker’s trade mission to China in late May.
At the Washington D.C.-based nonprofit Center for Democracy and Technology, Chief Technologist Joseph Lorenzo Hall said it is common for this type of scanning to originate from China. Usually, he said, it is followed up with attacks on the networks.
“And you know it seems a little dismissive of the Alaskan government to say, ‘we’re not even sure this is from China.’ If you know Recorded Future and other folks like that have global infrastructure that can see certain kinds of data flows and they drop in that report,” Hall said. “The actual IP addresses … you can look for yourself and see that that IP address is allocated matching Tsinghua University.”
Hall said the state should dig deeper and make sure there weren’t any successful hacks.
“You know, while I can imagine the Alaska government saying, ‘hey, nothing to see here whatever from the PR perspective.’ I really hope at the same time they’re going back and looking at logs and stuff from that time period,” Hall said.
Both Hall and Moriuchi said Alaska should be vigilant against further attempts at surveillance, especially as it continues commercial negotiations with China to build a natural gas pipeline.
“So while this is not a way of telling Alaska that your network has certainly been victimized, it’s a good indicator and we were kind of putting it out there to warn the state government that you guys, just in case you didn’t know … the state government is a target for Chinese hackers,” Moriuchi said.