Suspected Chinese hackers break into foreign ministries' email servers

Suspected Chinese hackers have broken into Microsoft Exchange email servers used by foreign ministries, according to new findings from Palo Alto Networks.

The security company’s Unit 42 division has been tracking the group for nearly three years. Researchers said the operation is a long-running effort to read and collect the private communications of diplomats across the world.

Unit 42 confirmed the hackers had full access to search for information inside the email servers of some ministries. They specifically hunted for terms tied to a China-Arab summit held in Riyadh, Saudi Arabia, in 2022, said senior researcher Lior Rochberger.

The team said the hackers also searched for the names of Chinese President Xi Jinping and Peng Liyuan, his wife, in connection to that summit. Researchers declined to identify which countries were hit but said the activity “align consistently with the People’s Republic of China (PRC) economic and geopolitical interests.”

Researchers track hackers to Phantom Taurus campaign

“When I found them searching for specific diplomatic keywords and then exfiltrating emails from embassies and military operations, I realized this was a serious intelligence collection effort,” Rochberger said. Palo Alto Networks calls the hacking group Phantom Taurus.

The company said the breaches went beyond simple spying, showing a focus on strategic events and military movements.

Liu Pengyu, a spokesperson for the Chinese Embassy in Washington, responded that hacking is a problem for all countries, including China, and that the government opposes all forms of cyberattacks.

“Cyberspace is highly virtual, difficult to trace, and involves a diverse range of actors,” he said. “Tracing the source of cyber attacks is a complex technical issue, that requires solid and full evidence.”

The Palo Alto Networks report also highlighted how suspected Chinese hackers are now targeting industries worldwide. On September 24, Alphabet Inc.’s Google stated that a Chinese group had compromised US technology companies.

Earlier in September, suspected attackers impersonated the Republican chair of the House Select Committee on China in attempts to steal sensitive data on trade negotiations, according to the committee.

Assaf Dahan, director of threat intelligence at Palo Alto Networks, said many of Phantom Taurus’ breaches had a “tight correlation to specific geopolitical events or military maneuvers.” The report also said that other espionage activities sought information related to countries, including Afghanistan and Pakistan.

Claim your free seat in an exclusive crypto trading community - limited to 1,000 members.