A new report by tech firm Recorded Future has revealed the extent to which hackers affiliated with China’s prestigious Tsinghua University have helped the Chinese regime further its national agenda by spying on international entities.
Recorded Future, which analyzes cyber threats around the world, detected high levels of spying activity from a Tsinghua University IP address during periods of trade negotiations between the United States and China.
The report, published on Aug. 16, also found that the Tsinghua entity conducted espionage on government and commercial organizations in countries that China has partnered with in its Belt and Road initiative (BRI), a project where the Chinese regime has invested in countries throughout Asia, Africa, Europe, and Latin America to build infrastructure projects—and in the process, geopolitical influence.
It concluded “with medium confidence” that the Tsinghua IP’s spying activities were conducted with Chinese state backing in order to advance “China’s economic development goals.”
Tsinghua University based in Beijing is a state-owned institution. As a top engineering and tech research school, the university is home to a group of student hackers known as the Blue Lotus.
Tsinghua also has a history of connections to the state’s efforts to steal U.S. technology.
Tsinghua’s Institute of Information Systems and Engineering, for example, is affiliated with China’s National 863 and 973 programs. The 863 Program targets key industries such as biotech, space, and energy “for efforts to clandestinely acquire U.S. technology and sensitive economic information,” according to a 2011 U.S. intelligence report. Meanwhile, the 973 Program focuses on tech research. “Both programs have had the effect of making it easier for China to steal intellectual property in order to achieve program goals,” according to Recorded Future.
In addition, one of the university’s subsidiary companies, Tsinghua Holdings, has attempted investment deals with U.S. firms in order to acquire key technology that the Chinese regime wishes to develop domestically. Thus, it comes as no surprise that the university would conduct espionage on Beijing’s behalf.
Related to US Trade Tensions
Between April 6 and June 24, 2018, Record Future detected over one million internet connections between the Tsinghua group and several networks in Alaska involving the Alaska state government; the state Department of Natural Resources; and TelAlaska, a telecoms firm, among others. The timing coincided with a trade mission from May 19 to 26 led by Alaska governor Bill Walker to China, for discussing the prospects of a natural gas pipeline project between Alaska and China.
“The spike in scanning activity at the conclusion of trade discussions on related topics indicates that the activity was likely an attempt to gain insight into the Alaskan perspective on the trip and strategic advantage in the post-visit negotiations,” Recorded Future stated.
There was another surge of activity during late June, after Walker announced that he planned to visit Washington, D.C. to meet with U.S. and Chinese officials and discuss his concerns about growing trade tensions between the two countries. This was right before the first set of United States tariffs on Chinese goods went into effect.
Recorded Future also found that the Tsinghua IP scanned networks belong to German automaker Daimler AG on June 20, the day after the company announced that its profits were likely to diminish as a result of trade tensions between China and the United States.
Cars are a major player the U.S.-China trade war, as both countries have enacted tariffs on each other’s car imports. China has also sought to increase investments in German automakers in order to push its domestic development of robotics and new energy vehicles. Chinese automaker Geely owns a 10 percent stake in Daimler, which makes Mercedes-Benz cars.
Belt and Road
The Tsinghua group has also attempted to spy on entities related to China’s BRI projects around the world, among which is a proposal to build a port in the state of Maranhao, Brazil. Between April 2 and June 11, the Tsinghua group attempted to connect with the public ministry of a nearby coastal state, right after construction on the port broke ground in March.
Similar attacks were detected on a Mongolian university and national data center; as well as a number of Kenyan entities such as its port authority, telecoms firms, and the United Nations Office in Nairobi. Mongolia is a key part of a proposed BRI economic corridor with Russia and China, while Kenya already has a BRI project completed: a railway that opened last year. Notably, the attacks on Kenya happened two weeks after the country decided not to sign a free trade agreement with China.