Ahead of Thursday's summit between the United States President Donald Trump and Chinese President Xi Jinping, researchers released a report claiming that a Chinese cyber-espionage group broke into the website of a Washington D.C.-based trade group. The research firm revealed that the sophisticated hacking group APT10 is believed to be responsible for a February hack where the group left a malicious link on an Events web page that the members of the National Foreign Trade Council (NFTC) use for upcoming meetings.
Evidence of Chinese cyber-espionage released as Trump meets Xi
APT10 that is believed to be a group pursuing Chinese government interests broke into the website of NFTC to implant a malicious link. Researchers at Fidelis Cybersecurity firm uncovered this malware campaign back in February. However, the firm appears to be taking advantage of this week's Trump-Xi summit to publish its findings. "In late February, Fidelis Cybersecurity observed a strategic web compromise on a prominent U.S. lobbying group that served up malware to a very specific set of targets," the firm wrote.
"The malware we observed has been used exclusively by Chinese nation-state threat actors in our observation and according to previously published research."
When members of NFTC clicked on this malicious link, instead of taking them to a meeting in Washington on March 7, the link deployed Scanbox - a spying tool that goes back to 2014. Scanbox has been previously associated with the Chinese government and enables its operators to record the type of software a target is running and run keyloggers on the affected systems.
"Traditionally these attacks are used to precisely identify targets and help them craft targeted phishing attacks using exploits they know the victim is vulnerable to."
NFTC is a prominent advocate on international trade policy having corporate members, including Wal-Mart Stores, KPMG, Pfizer, Visa, Johnson & Johnson, Amazon.com, Ford and Microsoft. The research firm wrote that the NFTC director who is a customer of Fidelis contacted the company. FBI was also notified after this malware implant was detected and removed. While the FBI and NFTC have declined to comment on the authenticity of this report, Fidelis said there is no evidence that any NFTC member could have been infected.
The group is calling this malware campaign Operation TradeSecret and believes that the attack against NFTC could be an attempt to conduct surveillance on the main lobbyists and industry players associated with the US trade policies. The security firm also hypothesized that the attackers were trying to get trade secrets ahead of today's meeting.
However, according to independent security researchers who spoke to Forbes, the link that Fidelis makes between NFTC hack and APT10 is weak. It could very well be an attempt to draw attention to the firm ahead of President Trump's meeting with the Chinese President. Both APT10 and US-China relationships are hot topics right now, as earlier this week a PwC and BAE report revealed that the hacking group was targeting IT, cloud and managed service providers (MSPs) globally, including in the United States.
"The threat actor’s targeting of diplomatic and political organisations in response to geopolitical tensions, as well as the targeting of specific commercial enterprises, is closely aligned with strategic Chinese interests," PwC wrote in its report earlier in the week.
- Technical details of the NFTC hack can be found here.