A reconnaissance campaign by Chinese hacker group APT10 appears to have targeted representatives from private-sector companies who registered for a National Foreign Trade Council meeting.
A reconnaissance campaign by Chinese hacker group APT10 appears to have targeted representatives from private-sector companies who registered for a National Foreign Trade Council meeting.

A Chinese hacking group is accused of compromising the website of the National Foreign Trade Council in an apparent attempt to spy on the U.S. trade association's members in the days leading up to a key summit between President Donald Trump and Chinese President Xi Jinping.

Dubbed Operation TradeSecret, the campaign involved injecting a malicious link into specific pages on the NFTC's website, including the registration page for a March 7 board of directors meeting in Washington D.C. According to Fidelis, whose researchers uncovered the operation, the core targets were the most likely representatives from private-sector companies who registered for the event.

"These organizations represent some of the largest U.S. private sector companies that, presumably, have a keen interest in U.S. trade policy," Fidelis asserted in a blog post published on Thursday.

Clicking the malicious link would have executed a remote script for Scanbox, a JavaScript-based reconnaissance framework that is associated exclusively with Chinese threat groups, Fidelis further reported. Scanbox contains various plug-ins to perform reconnaissance on browsers, Adobe Flash and PDF Reader, SharePoint, Chrome security plug-ins, Microsoft Office, Java and other software. It also is capable of logging the keystrokes that a victim types into the compromised website.

The malicious link first appeared on the website on Feb. 27 and was removed on March 2.

Fidelis suspects the culprit is most likely APT10, aka menuPass, the very same APT that BAE Systems and PwC UK recently implicated as the driving force behind Operation Cloud Hopper -- a hacking campaign that compromise managed service providers and uses them as conduits to steal sensitive trade secrets from their clients.

While the attacks on Cloud Hopper would seem to violate the terms of a 2015 pact between U.S. and China that prohibits the online theft of intellectual property, Operation Trade Secret appears to be within the ground rules. "This right now has the look and feel of traditional espionage," said John Bambenek, threat systems manager at Fidelis, in an interview with SC Media. This particular campaign "doesn't look like they're interested in intellectual property," at least for now, he added.

Although the campaign could be the work of another Chinese group, Bambenek said Fidelis is leaning toward APT 10 due to the use of an obfuscation technique that is commonly linked to the group. APT10 is also referred to as Stone Panda, RedApollo and CVNX.

China's Xi arrived in the U.S. on Thursday to convene with Trump at his Mar-a-Lago retreat. Trade policy could certainly be on the table for discussion during this bilateral summit. In its blog post, Fidelis stressed that NFTC members "have been key participants in the dialogue around the composition of the new trade policy framework being formulated within the Trump administration. One example of this is the advocacy for the appointment of a new U.S. Trade Representative..."

"Think tanks, trade associations are all soft targets," said Bambenek. "This is where policy gets made. They're not government, but you still have to protect them because there's still a lot of valuable information that they have."

The report also referenced a second operation similar in nature to TradeSecret, in which a hacker group targeted government officials in Japan by creating a malicious website that spoofed a page from the Ministry of Foreign Affairs of Japan's legitimate website. The joint BAE Systems-PwC UK report also referenced this scheme.