A prominent trade organization involved in economic policy discussions with the Trump administration was the target of a digital espionage operation with ties to the Chinese government, according to new research gathered by Fidelis Cybersecurity.
The news comes as President Donald Trump prepares to meet Thursday with Chinese President Xi Jinping for the first time.
The hacker group at the center of Fidelis’ report is known in the security research community as APT 10 — an elite unit with ties to China.
One of APT 10’s signature spy tools, dubbed “Scanbox,” was found lurking on several webpages owned by the National Foreign Trade Council, including a digital registration form. The registration page is used by guests to schedule meetings and sign up for NFTC events. The organization says it has about 300 member companies. NFTC board members include executives from Amazon, ExxonMobil, Google, IBM, KPMG, Microsoft, Oracle, Visa and Walmart.
However, due to Scanbox, when a victim would visit the organization’s registration page they would be served reconnaissance malware, allowing the attacker to gather information about certain programs running on a target device.
Information gathered with Scanbox, according to Fidelis Threat Intelligence Manager John Bambenek, could have been leveraged to launch subsequent phishing emails that could exploit old vulnerabilities in device-specific applications.
Scanbox comes with several different plugins, including a keylogger and scanning features, which will load depending on the browser used by the target while visiting the NFTC domain.
The unique reconnaissance tool has been previously linked to other Chinese military affiliated hackers, including a group “believed to be behind well-publicized intrusions in recent years, such as the ones involving Anthem Healthcare and the U.S. Office of Personnel Management,” the report reads.
“Scanbox is used by multiple actors but the specific obfuscation layer used in this attack and some techniques link identically to previous APT10 attacks,” Bambanek told CyberScoop. “We are highly confident of the Chinese state sponsorship and moderately confident this is APT10.”
Fidelis first gained insight into the incident because one of its customers had visited the NFTC registration page while Scanbox was active.
The malicious links running in the background of the NFTC’s webpage were removed on March 2, Bambenek said. The active espionage operation appears to have occurred between Feb. 27 and March 1, 2017. The campaign likely targeted individuals that were visiting NFTC’s website to register for a board of directors meeting that took place on March 7 in Washington, D.C.
Bambenek said that Fidelis passed on the intelligence it collected about APT 10 to the FBI.
“All organizations who have representatives on the Board of Directors of the NFTC or those who would have a reason to visit the site should investigate potentially impacted hosts,” Fidelis recommended, “since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that such personnel will be subject to further targeted attempts to compromise them.”
In the NFTC case, the hackers registered new domains to host Scanbox and made several key changes to the malware’s code in order to bypass classic signature detection anti-virus protections.
Earlier this week, England’s National Cyber Security Centre in coordination with PricewaterhouseCoopers and defense contractor BAE Systems published a related research paper about APT 10. They found that APT 10 had also sent a barrage of spear phishing emails last year to UK information technology contractors. The purpose of that operation was to compromise companies that could help the group gain access to other prominent British commercial brands they service.
Trump was scheduled to meet with President Xi Jinping on Thursday evening at his Mar-a-Lago residence in Florida.