Myanmar, strategic interest of nation-state cyber actors
An open-source journey from 2012-2021 of massive cyber-espionage operations in Myanmar
Disclaimer: The views, methods, and opinions expressed at Anchored Narratives are those of the author and do not necessarily reflect the official policy or position of my employer.
Introduction
The word cloud on the cover of this article was generated on collected geopolitical Twitter data on the first of February 2021, but it remained a trending topic in the days to follow with #SaveMyanmar or #SaveBurma hashtags leveraged by users to raise worldwide awareness of the coup d'état that the military of Myanmar committed.
On the first of February 2021, the military of Myanmar seized control from the democratically elected leaders of the country, and Aung San Suu Ky (Aung), its leader from the National League for Democracy (NLD) party was arrested. Apparently, there has been a dispute on the election outcome of 8 November 2020. Which was won by the NLD. Aung, a Nobel Peace Prize winner, also has been accused of involvement in a crackdown against the Muslim Rohingya population.
During last week the military shut down media, phone lines, internet, and international airport. Especially in certain regions to avoid any foreign influence and control the information. According to the military of Myanmar Facebook, access will be restored by the 7th of February. Prior to the shutdown residents from Myanmar massively downloaded an offline message app, called Bridgefy1.
On 2 February it became known that Myanmars’ top general Min Aung Hlaing, who visited China’s top diplomat a month prior to the coup was, not condemned by China or Russia in the United Nations security council.
According to numerous geopolitical articles, the relationship between China and Myanmar has been one of the multiple disputes. China is the main investor in Myanmar and sees the country as a critical strategic partner in the Belt and Road Initiative (BRI). Myanmar is resource-rich, has sea access to the Indian Ocean in which China has great interest. The access to their sea provides them an alternative route to the highly disputed South China Sea region. China is also involved in building a large hydro-electric dam in Myanmar, called Myitsone. The strategic partnership between Myanmar and China raised some concerns with India. India is also a large investor in Myanmar and sees the country as vital in its Indo-Pacific Oceans Initiative. India and Myanmar share a lengthy border and hold military and naval exercises with each other. Myanmar connects India to the rest of Southeast Asia and is therefore of strategic economic and security interest to India.
Although there are many (local) conflicts within Myanmar, China’s and India’s interest in Myanmar is very clear. So what do these relationships and interests mean to the nation-state cyber activity against Myanmar? Let’s find out if there were any recent Advanced Persistent Threat (APT) triggers relating to Myanmar.
Reported Myanmar nation-state actor cyber activity
As shared in an earlier article on Anchored Narratives, the benefit of implementing a threat intelligence process on Twitter data is that you can query historical data per country, region, or organization. With this, you are able to assess if potential tweets by users were shared that could indicate nation-state cyber involvement in the country or sector of interest. With this, you are able to assess if potential tweets were posted that could indicate nation-state actors targeting in this case, Myanmar, its citizens, government, or industries.
By searching the keyword “myanmar” on the nation-state threat actor Twitter feed, multiple (re)tweets were found. I’ve only selected two of the most relevant tweets found. The following tweet was found and shared by user ‘securitymag’ on 4 November 2020.
"@Sophos uncovered #cyber attackers using DLL side-loading to execute malicious code and install #malware in the networks of non/gov organizations in #Myanmar, suggesting that the attackers involved may be a #Chinese #APT group. https://t.co/MwGNNbnEh5 #cybersecurity"The link in the tweet refers to an article of a Sophos, a cyber security firm, which detected a new alleged Chinese threat actor [10]. The actors targeted both government and non-government organizations by installing malware in the networks in Myanmar.
The same search revealed a tweet from on 26 June 2020 by user “virusbtn” that Anomali, a threat security company, found a new Chinese Advanced Persistent Threat (APT) group.
“Anomali researchers have analysed what they believe to be a new Chinese APT group targeting entities in Myanmar https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities … pic.twitter.com/ZBGWvYsuWj”The article in the tweet will be referenced as [9].
The information of the reports shared by the security companies and some additional internet searches led to a trove of reported Chinese nation-state cyber activity in Myanmar. The reported activity originated in 2012 but potentially even longer. Also, other nations, like India and Vietnam expressed interest in Myanmar.[11]
Based upon the reports a timeline was created of the main cyber actor activity in Myanmar from 2012 until 2021. The timeline displayed below is based on open source information and is far from complete, but gives a graphic overview. Only the most relevant and interested reported findings are displayed. There might also have been nation-state activity by other adversaries that not have been detected and are therefore not reported. The links to the reports are provided as a reference at the end of the article. The highlighted events will be briefly explained below.
Leaked e-mails from November 2012 of a known Italian hacking company, HackingTeam (HT), revealed that the company has been in contact via a supplier to the military intelligence agency of Myanmar. HT offered an active hacking solution in 2014 to Myanmar [1]. The offer apparently did not materialize.
In February 2013 Google warned that journalists working in Myanmar were subject to state-sponsored attacks on their Gmail accounts. The article refers to a number of countries including the U.S., India, and China are trying to obtain a larger role in the country.[2]
In August 2015 security company Harbor, released an interesting report on the investigation of a piece of malware, named Korplug, which was stored on a website of the government of Myanmar involving the elections. An interesting artifact “Kpsez-‐htday” used by the attacker for authentication and controlling the server was found in the malware. Kpsez might be a reference to the Kyauk Phyu Special Economic Zone which according to its website “The Kyauk Phyu Special Economic Zone (KP SEZ) will see the development of a deep sea port that will unlock the potential of the hinterland and fulfil Myanmar’s potential as a trade corridor for Africa/Middle East and China.” In the Harbor report, the attackers also used election invitations in file names. Email phishing was the main attack vector.
In May and September, 2015 multiple reports were released about known Chinese hacking group Naikon. According to the report, Naikon APT group is connected to the Chinese People’s Liberation Army Unit 78020. In a very detailed report released by ThreatConnect they even connected a hacker with the handle GreenSky27 to a PLA officer named, Ge Xing. Unit 78020 conducted multiple cyber-espionage against the military, diplomatic and economic entities in Myanmar. The main attack vector was phishing via e-mail and leveraging weaponized rtf files in Microsoft Office. The file exploited a vulnerability in the software (CVE-2012-0158).
In April 2016 known, malware, called Poison Ivy, was used to reference the elections and the democracy of Myanmar. Similar malware had been used to target the citizens of Hong Kong. Weaponized documents lured users in installing malware referenced the Association of Southeast Asian Nations (ASEAN) meeting that took place in Myanmar in September of 2015 [6].
In March 2019, security company Netscout published a report about an alleged Indian nation-state actor, dubbed Lucky Elephant, that tricked users of the Myanmar Ministry of Foreign Affairs to fill in credentials in mimicked South Asian government websites[7].
In May 2020, security company Checkpoint published a report about a Chinese Naikon APT actor targeted ministries, science and technology ministries, as well as government-owned companies in Myanmar. The actor sent infected (weaponized) documents via e-mail. The documents were built with the RoyalRoad exploit builder.[8]
In June 2020, threat intelligence company Anomali published a report about an unknown Chinese APT that targeted the Myanmar Police Force (MPF), Crisis management (NCMC), National League for Democracy(NLD), and Office of Military Security Affairs (OCMSA) via e-mails. The e-mails contained malicious shortcuts in compressed WinZip or RAR files[9].
In November 2020, security company Sophos published its report about a new Chinese APT group which was also was found in the collected threat actor tweet. The new APT group was not attributed to another country and gave their analysts mixed signals. The actor however left some interesting artifacts behind, primarily in poor English:
“Hapenexx is very bad”
“AmericanUSA”
“Happiness is a way station between too much and too little.”
“HELLO_USA_PRISIDENT”
All the cases got connected during the analysis of the malware produced by the actors by a common artifact: the program database (PDB) path used to develop the malware and often forgotten by the malware developer or intentionally left behind as a false flag. All the samples shared a similar PDB path, with several of them containing the folder name “KilllSomeOne”[10].
In January 2021, Alienlabs part of AT&T published their report on the Sidewinder APT group, This group has been observed since 2018 targeting organizations in Southeast and East Asia. The group also targeted Myanmar. Usually, the actors craft unique phishing e-mails to lure the victims in activating the weaponized documents that exploit a known vulnerability (CVE-2017-11882). They also use other malicious documents to lure their victims. The Sidewinder APT group operates in support of India’s political interests[11].
Observations
Much of the nation-state cyber insights were obtained by multiple matched tweets that referenced recent public reports shared by the cybersecurity industry. Those and older published reports combined from 2012 until 2021 produces a clear picture of massive nation-state espionage operations by dominantly Chinese nation-state actor groups. The actor groups targeted government entities of Myanmar and journalists.
From my personal experience I am aware that Myanmar was of special-interest interest to known nation-state adversary groups, but not on the scale that I learned during this research.
Many of the known adversarial groups seem to have been directed to provide strategic and operational access to safeguard strategic, economic, political, or other interests in Myanmar. The main attack method used by the nation-state actors remains targeted e-mail phishing, credential harvesting, and leveraging some vulnerabilities by using the RoyalRoad exploit kit. Elections and democracy reforms were e-mail topics leveraged by the actors to lure users in installing the malicious payloads.
By the immense reporting done by security companies, it is safe to say the many of the aforementioned nation-state threat actors maintained access to networks in Myanmar between the 2012 and present day. Especially the Naikon APT actor group connected to the Chinese People’s Liberation Army Unit 78020 is mentioned several times in multiple reports.
The open-source journey to determine which nation-state cyber actors expressed an interest in Myanmar, revealed also other groups. For exampleOceanLotus/APT32 who is attributed to Vietnam. Mofang group has been attributed to China as well as Nightshade Panda, APT 9, and APT30. A great state threat actor resource was compiled by the Computer Emergency Response Team of Thailand, ThaiCert [11].
I was surprised to encounter the HackingTeam e-mails related to Myanmar dated back to 2012 as my focus on that data set has been another one in the past. In the e-mails, the military intelligence of Myanmar expresses interest in their hacking tools. Its intentions with the hacking kit remain unclear.
It is a known fact that China attacks countries that are of strategic, political, or economic interest in the Belt and Road initiative as there are a lot of future projects or investments at stake. Also, India expresses to have a strategic interest in Myanmar after declaring the Indo-Pacific Oceans initiative and being a large investor. Several reports demonstrate that nation-state threat actor activity by Indian groups also has been found in Myanmar.
Although this overview provides some insights into Myanmar, I did not encounter any reports about western or Russian nation-state activity in Myanmar yet. Seeing this amount of reported intrusions it is likely that some have been more advanced and remain unreported. According to the CASCON framework, it clearly looks like China is the “Non-Status Quo State” country versus Myanmar's “Status Quo State”.
A coup d’etat that was executed like this requires planning and strategic alignment. Future will tell if the new military regime of Myanmar is backed by its main investor China.
References
November 2012 e-mails. E-mails found in an article from 2015 https://www.irrawaddy.com/news/burma/revealed-domestic-surveillance-company-in-talks-with-burma-govt.html
February 2013, Also references that other countries express great interest in Myanmar, like India and the US. https://www.computerworld.com/article/2494841/google-warns-reporters-covering-myanmar--of--state-sponsored--attack-on-gmail-accounts.html
May 2015, Kaspersky report, https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2015/2015.05.14.Naikon_APT/The%20Naikon%20APT%20-%20Securelist.pdf
August 2015, Arbor Networks report https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2015/2015.08.20.PlugX_Threat_Activity_in_Myanmar/ASERT%20Threat%20Intelligence%20Brief%202015-05%20PlugX%20Threat%20Activity%20in%20Myanmar.pdf
September 2015, ThreatConnect Report on Naikon. https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2015/2015.09.23.CAMERASHY_ThreatConnect/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
April 2016, Arbor Networks report, https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf
March 2019, Lucky Elephant APT group, targets Myanmar Ministry of Foreign Affairs, https://www.netscout.com/blog/asert/lucky-elephant-campaign-masquerading
May 2020, Checkpoint report. Naikon targeted ministries, science and technology ministries, as well as government-owned companies in Myanmar. https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
June 2020: Anomali report, Unknown Chinese APT targeted Myanmar Police Force (MPF), Crisis management (NCMC), National League for Democracy(NLD), and Office of Military Security Affairs (OCMSA). The targets were attacked likely via email. https://www.anomali.com/blog/unknown-china-based-apt-targeting-myanmarese-entities
November 2020 Sophos report https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/
January 2021, Alienlabs part of AT&T published their report on the Indian Sidewinder APT group, https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
Threat Actor overview, https://www.thaicert.or.th/downloads/files/A_Threat_Actor_Encyclopedia.pdf
This app simply uses the Wifi and Bluetooth antennas on your mobile phone and does not need regular cellular networks or Internet for communications. With it, users that have installed the app, are able to freely and securely communicate with each other in a range of thirty meters (90 feet) of the next device. So users built a network among each other where every mobile device is basically a bridge to another user, creating a larger network. Bridgefy was also heavily used in the Honk Kong protests and other use cases are natural disasters or contact tracing for pandemic control.