Chinese hackers suspected of using Dropbox to snoop on Afghan officials

The campaign appears to be tied to a long-running operation that has also targeted government entitites in Kyrgyzstan and Uzbekistan.
An Afghan national flag June 13, 2021. (Photo by ADEK BERRY / AFP) (Photo by ADEK BERRY/AFP via Getty Images)

Hackers with ties to China have been targeting the emails of Afghan security officials with malware meant to scoop up everything on their desktop, according to a Thursday report from researchers at Check Point.

In an example shared by researchers, a hacker sent a malicious file to an official at the Afghanistan National Security Council posing as someone from the administrative office of the president of Afghanistan. The email requested the recipient review an attachment that was purportedly about an upcoming press conference.

Once clicked, that attachment opened the first file on the victim’s desktop while simultaneously opening a backdoor onto the computer, Check Point said.

From there, hackers had access to victim’s files and executed a scanner tool popular with multiple hacking groups, including the Chinese government-linked group APT10.


Based on the malware used by hackers, though, researchers believe with medium to high confidence that the attack was executed by a Chinese-speaking hacking group sometimes referred to as “IndigoZebra.” The group has, since 2014, targeted governments in Central Asia including Kyrgyzstan and Uzbekistan.

This is the first time the group’s techniques have been tied to an attack on the Afghan government and Check Point researchers aren’t ruling out additional possible victims.

Notably, the hackers used Dropbox folders as the system to communicate between their system and the infected computer. Since the traffic appeared as coming from Dropbox, a legitimate file-sharing service, it didn’t set off any red flags. It speaks to how attackers are innovating to avert security safeguards.

“The trend is not just a usage of Dropbox, but any way to fly under the security radar,” says Check Point malware analyst Alexandra Gofman.

Researchers at Proofpoint also recently flagged a rise in cybercriminals turning to trusted services like Dropbox and Google Drive to send malware while avoiding security concerns.


Gofman says that Check Point is working with Dropbox to make sure that hackers can no longer use the company’s system to run the malware.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts