A group of what appears to be Chinese hackers infiltrated a U.S. trade-focused lobbying group as the two countries wrestle with how they treat imports of each other’s goods and services.
The APT10 Chinese hacking group appears to be behind a “strategic web compromise” in late February and early March at the National Foreign Trade Council, according to security vendor Fidelis Cybersecurity.
The NFTC lobbies for open and fair trade and has pledged to work with U.S. President Donald Trump to “find ways to address Chinese policies that frustrate access to their market and undermine fair trade, while at the same time encouraging a positive trend in our trade relationship.” Trump will meet with China President Xi Jinping in Florida this week.
The lobbying group discovered the attack almost immediately and took steps to remove the malware and protect website visitors, a source close to the group said.
It is “highly probable” that the web attack targeted key private-sector organizations focused on U.S. trade policy, Fidelis Cybersecurity said in a blog post. The company’s research has found a similar operation targeting government officials in Japan, it said.
“The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10,” a well-known Chinese hacking group.
The attack on the lobbying group, dubbed Operation TradeSecret by Fidelis, targeted visitors to some of the organization’s web pages, including one used to register for meetings. The attacks served reconnaissance malware known as Scanbox, Fidelis said.
Scanbox is typically used by hackers associated with or sponsored by the Chinese government, the company said. It gives hackers multiple capabilities, including JavaScript keyloggers installed on target PCs. The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals. These campaigns can then exploit specific vulnerabilities known to exist within the user’s applications.
The information gathered can then be used in phishing campaigns targeting specific computer users, Fidelis said.
“The benefit of such a watering-hole attack is that it enables the adversary to target key individuals as they go about their business,” said Hardik Modi, vice president for threat research at Fidelis. “Big business plays a key role in the formulation of trade policy in the U.S., and our expectation is that this campaign was about gathering intelligence in advance of the negotiations that accompany the [U.S.-China] summit.”
Lobbying groups are particularly attractive targets, Modi added by email. They are “in a difficult position because they often have a sensitive membership and can be an easy conduit for the adversary to target the specific interest group they’re interested in,” he said. “This has been part of cyber tradecraft for a long time now.”
This type of espionage is “an age-old tradition for governments,” he added.