Chinese hackers impersonated Afghanistan’s presidential office to steal documents using Dropbox, research group says

A group of Chinese-speaking hackers is targeting Afghanistan’s top national security agency by impersonating the Office of the President of Afghanistan, according to the cyber threat analysis firm Check Point Research (CPR).

The ploy to infiltrate the Afghan National Security Council was uncovered in April after staff received a suspicious email that appeared to come from a government address but contained a malicious attachment, the US-Israeli research firm said in a report on Thursday. The attached malware, once opened, used Dropbox to mask the theft of sensitive documents.

“The cyberattack on the Afghan government is the latest in a series of attacks that have targeted Central Asia,” said CPR spokesman Ekram Ahmed. “The group is also fearless in the sense that they have no issues in targeting the highest levels of government.”

The attack is part of an operation going back to at least 2014 that has also targeted Kyrgyzstan and Uzbekistan, according to CPR, which identified the hacking group as IndigoZebra. Russian cybersecurity company Kaspersky put the group on a 2017 list of possible culprits targeting former Soviet republics. They are presumed to be based in China, Ahmed said.

CPR first detected the attack using telemetry data collected while crawling the internet, according to Ahmed. It was carried out using a Windows executable file stored in a password-protected RAR archive file named “NSC Press conference”. Once opened, the executable would install a backdoor and start siphoning off files, focusing on those stored on the desktop.

Additional malicious files and commands could be hidden from victims by being placed in the Dropbox folder, according to the report.