The cybersecurity alert seen by WIRED says that to steal emails from ASEAN, Chinese threat actors used “valid credentials” to compromise mail servers linked to the group. These Microsoft Exchange servers used the mail.asean.org and auto.discover.asean.org domains. The document also lists four Microsoft Exchange server vulnerabilities that were abused by those behind the hack. Microsoft first published details of the vulnerabilities in March 2021 and linked their use to Chinese threat actor Hafnium, which attacked tens of thousands of mail servers at the time.

The cybersecurity alert advised member countries to reset credentials, monitor remote email collection from unknown locations, and defend against the vulnerabilities. It also notes that this isn’t the first time Chinese threat actors have compromised ASEAN. In July 2021, the alert says, the ShadowPad malware was used to compromise the organization. Meanwhile, between May and October 2019, Chinese attackers used the PlugX malware to steal more than 100 ASEAN-related documents. 

ShadowPad and PlugX are both remote-access tools that are commonly used by Chinese-linked hackers, says Ben Read, director of cyberespionage analysis at US cybersecurity firm Mandiant. They operate as backdoors and allow hackers to take control of someone’s machine, including uploading and downloading files and moving through someone’s network. “PlugX has been the workhorse of Chinese cyberespionage for the past decade,” Read says. 

For all countries across Southeast Asia, China is a crucial partner. The nation is the biggest power in the region, and trade between the countries is crucial to many of their economies. “China wants to build closer ties with these countries,” says Olivia Cheung, a research fellow at the China Institute at SOAS University of London. Chinese president Xi Jinping has talked of building a “community of common destiny” with ASEAN countries.

Despite this, the playing field won’t be leveled. China has spent billions on infrastructure and manufacturing across Southeast Asia—particularly through the Belt and Road Initiative, an infrastructure investment project that helps give China political and economical power. As a result, there are many tensions between the neighbors, including around the South China Sea. “Efforts to deepen positive relations are quite often offset by the Chinese government's approach to securitize everything,” Cheung says.

China’s state-sponsored hackers are incredibly active in the area, multiple cybersecurity experts say. “The region holds vital strategic importance, due to its geographical location and its growing economic importance,” says Che Chang, a cyber-threat analyst at Taiwan-based cybersecurity firm TeamT5. Che says that in recent years government and military units in Southeast Asian countries have been a common target for China’s hackers. In the second half of 2022, there was a 20 percent increase in China-linked cyberattacks against Southeast Asian countries, compared with the same time in 2021, he says.

Security firm Recorded Future has tracked 10 Chinese-linked groups attacking Southeast Asian countries in the past two years—primarily government and military organizations. Throughout 2021, Recorded Future detected 400 servers in Southeast Asia that were communicating with malware infrastructure likely linked to Chinese state-sponsored actors, a report from the firm says. Malaysia, Indonesia, and Vietnam were targeted the most.