Suspected Chinese hackers were able to break into Microsoft Exchange email servers used by foreign ministries, according to a new finding from Palo Alto Networks. The security company’s Unit 42 division has been tracking the group for the last three years, with researchers claiming that the operation is a long-running effort to read and collect the private communications of diplomats across the world.
According to Unit 42, the hackers were able to gain access to search for information inside the email server of some ministries. They specifically searched for items linked to the China-Arab summit held in Saudi Arabia in 2022, a senior researcher said. The team also noted that the hackers searched for the names of Chinese President Xi Jinping and his wife in connection with the summit. Researchers refused to identify the countries affected and said the activity was in line with the People’s Republic of China (PRC) economic and geopolitical interests.
Researchers track suspected Chinese hackers to Phantom Taurus campaign
“When I found them searching for specific diplomatic keywords and then exfiltrating emails from embassies and military operations, I realized this was a serious intelligence collection effort,” Rochberger said. Palo Alto Networks calls the hacking group Phantom Taurus. The company also mentioned that the hack went beyond simple spying, showing a focus on strategic events and military movements.
Spokesperson for the Chinese Embassy in Washington, Liu Pengyu, mentioned that hacking is a problem for all countries, including China, and that the government opposes all forms of cyberattacks. “Cyberspace is highly virtual, difficult to trace, and involves a diverse range of actors,” he said. “Tracing the source of cyber attacks is a complex technical issue that requires solid and full evidence.”
The Palo Alto Networks report also highlighted how suspected Chinese hackers are now targeting industries worldwide. On September 24, Alphabet Inc.’s Google stated that a Chinese group had compromised US technology companies. Earlier in September, suspected attackers impersonated the Republican chair of the House Select Committee on China in attempts to steal sensitive data on trade negotiations, according to the committee.
Assaf Dahan, director of threat intelligence at Palo Alto Networks, said many of Phantom Taurus’ breaches had a “tight correlation to specific geopolitical events or military maneuvers.” The report also said that other espionage activities sought information related to countries, including Afghanistan and Pakistan.
