In the world of cyberespionage, the Chinese are king. More nation-state attacks are attributed to it than any other country. Though the assumption has been that the motive behind most of this spying was to gain a competitive advantage for Chinese companies, there had not been much proof. Until now. A new espionage campaign attributed to China shows an almost one-to-one correlation between the breaches and China's economic interests.

The group, discovered last November by the Dutch security firm Fox-IT and dubbed Mofang, has struck more than a dozen targets in various industries and countries since at least February 2012, and is still active. Mofang has targeted government agencies in the US, military agencies in India and Myanmar, critical infrastructure in Singapore, research and development departments of automotive companies in Germany, and the weapons industry in India.

But one campaign in particular, conducted in relation to business dealings in Myanmar's Kyaukphyu special economic zone, provides clues about the attackers' motives. In that attack, Mofang targeted a consortium overseeing decisions about investments in the zone, where China’s National Petroleum Corporation hoped to build an oil and gas pipeline.

"It’s a really interesting campaign to see where initial investments by a China state-owned company [appeared to drive the breaches]," says Yonathan Klijnsma, senior threat intelligence analyst with Fox-IT. "Either they were afraid of losing this investment or they just wanted more [business opportunities]."

Finding Mofang

Fox-IT discovered the group after uncovering some of its malware on VirusTotal, a free online service owned by Google that aggregates more than three dozen antivirus scanners made by Symantec, Kaspersky Lab, F-Secure and others. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if any of the scanners tag it as malicious.

Fox-IT uncovered two primary tools the group uses: ShimRat (a remote access trojan) and ShimRatReporter (a tool for conducting reconnaissance). The malware is custom tooled for each victim, which allowed Fox-IT to identify targets in cases where the victim's name appeared in email documents the attackers used.

Unlike many nation-state hacks attributed to China, the Mofango group doesn’t use zero-day exploits to get into systems but instead primarily relies onphishing attacks that direct victims to compromised web sites where the malware downloads to their system using already known vulnerabilities. The group also hijacks antivirus products to run their malware, so that if a victim looks at the list of processes running on their system, it looks like a legitimate antivirus program is running when really it's malware.

The researchers arrived at the China attribution in part because some of the code the attackers use is similar to code attributed to other Chinese groups. Additionally, documents used in the phishing attacks were created in WPS Office or Kingsoft Office, a Chinese software similar to Microsoft Office.

The Attacks

The first campaign hit a government entity in Myanmar in May 2012. Mofang hacked a Ministry of Commerce server. That same month, they also targeted two German automotive companies, one engaged in developing technology for armored tanks and trucks for the military, the other involved in rocket-launching installations.

In August and September 2013 they struck targets in the US. In one case, they targeted US military and government workers by emailing them a registration form for Essentials of 21st Century Electronic Warfare, a training course for US government employees held in Virginia. They also targeted a US tech company doing solar cell research as well as exhibitors at the 2013 MSME DEFExpo in India—an annual defense, aerospace and homeland security expo for companies selling to governments. In 2014 they struck an unknown South Korean organization, and in April that year they targeted a Myanmar government agency using a document purporting to be about human rights and sanctions in Myanmar.

"The variety [of their targets] is big, but they always go after technology and research and development companies," Klijnsma says.

But the most telling attack came last year when they targeted a Myanmar government entity and a Singapore-based company called CPG Corporation, both of whom were involved in making decisions about foreign investments in the Myanmar special economic zone known as Kyaukphyu, which entices foreign investors with tax breaks and extended land leases. The Kyaukphyu zone was of particular interest to the China National Petroleum Corporation which began investing there in 2009. The company signed a memorandum of understanding to build a seaport and develop, operate and manage an oil and gas pipeline connecting Myanmar to China to save the Chinese company from having to sail through the Strait of Malacca to deliver gas. The Chinese government may have feared that without a binding legal agreement, Myanmar would renege on the deal.

In March 2014 Myanmar chose a consortium led by the CPG Corporation in Singapore to help make decisions about development in the zone. In 2015, the consortium intended to reveal the companies that had won infrastructure investment rights but by July no results had been disclosed. That’s when the Mofang group hacked the CPG corporation, Klijnsma says. Fox-IT does not know what specific information was taken, but the timing is illustrative.

"The timeline is very specific," he says. "It lines up ridiculously well [with the decision-making period]."

In 2016, China won the tender to build the oil and gas pipeline and seaport in Myanmar's economic zone. And with that, the Mofang group's motives seem clear.