Security Experts:

Connect with us

Hi, what are you looking for?



China Intensified Attacks on Major Afghan Telecom Firm as U.S. Finalized Withdrawal

Several China-linked cyberespionage groups were observed intensifying attacks on a major telecom firm in Afghanistan just as the United States was finalizing its withdrawal from the country.

Several China-linked cyberespionage groups were observed intensifying attacks on a major telecom firm in Afghanistan just as the United States was finalizing its withdrawal from the country.

Threat intelligence company Recorded Future reported on Tuesday that it had seen four different Chinese threat groups targeting a mail server belonging to Roshan, a major telecom provider that has more than 6.5 million subscribers across Afghanistan.

The attacks were conducted by the groups known as Calypso and RedFoxtrot, as well as two different Winnti and PlugX activity clusters that Recorded Future researchers could not connect to other known actors.

The threat groups targeted the same Roshan mail server, which the researchers say it’s not unusual for Chinese hackers, who often have different intelligence requirements and don’t coordinate their activities.

Some of the groups had access to the mail server for months, but the attacks appeared to intensify in August and September, just as U.S. troops were finalizing their withdrawal from Afghanistan. Specifically, the researchers noticed increased data exfiltration activity during this period.

Calypso, which has targeted Roshan since at least July 2020, was one of the first threat groups to target the Microsoft Exchange vulnerabilities known as ProxyLogon following their disclosure.

“This focus on intelligence gathering targeting one of Afghanistan’s largest telecommunications providers is likely in part driven by the Chinese Communist Party’s (CCP) purported desire to expand influence within Afghanistan under renewed Taliban rule,” Recorded Future explained in a blog post. “The telecommunications firm offers a hugely valuable platform for strategic intelligence collection, be it for monitoring of downstream targets, bulk collection of communication data, as well as the ability to track and monitor individual targets.”

The cybersecurity firm added, “Afghanistan is strategically important to China for several reasons, particularly in the wake of the US withdrawal. For one, the PRC likely seeks to increase its influence within Afghanistan to prevent regional instability and extremism from spreading into the bordering Xinjiang Uyghur Autonomous Region of the PRC, as well as to other Central Asian countries. These issues raise national security concerns and a need to protect PRC interests in the region, including major Belt and Road Initiative (BRI) investments. The US withdrawal also presents the PRC with opportunities for major new BRI-linked and extractive industry projects within Afghanistan.”

Related: Is the Taliban a Cyber Threat to the West?

Related: US-built Databases a Potential Tool of Taliban Repression

Related: UK Minister Sorry Over Afghan Interpreters’ Data Breach

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


A newly identified threat actor tracked as NewsPenguin has been targeting military organizations in Pakistan with sophisticated malware.