Researchers have identified a Chinese cyber-espionage campaign targeting the United States ahead of the upcoming trade summit between President Donald Trump and President Xi Jinping. The findings, detailed in a report released by Fidelis Cybersecurity, reveal that the Chinese APT10 hacking group infiltrated the “Events” page of the U.S. National Foreign Trade Council (NFTC) website back in February.
This operation, dubbed “Operation TradeSecret,” is believed to have been aimed at surveilling key industry stakeholders and lobbyists integral to U.S. trade policy discussions. By embedding a malicious link within an invitation to a meeting scheduled for March 7, the hackers employed a sophisticated spying tool known as “Scanbox.”
Scanbox, which dates back to 2014, has been previously linked to state-sponsored threat actors from China. Its capabilities include capturing details about the victim’s software environment and deploying keyloggers on compromised systems. According to Fidelis researcher John Bambenek, the operation functioned primarily as a reconnaissance tactic. Individuals who accessed the affected calendar entry were potentially subjected to exposure of their software versions, while a JavaScript keylogger could unveil their identities.
Bambenek elaborated that such tactics are typically employed to precisely identify targets, aiding hackers in crafting tailored phishing attacks that exploit specific vulnerabilities in their victims’ systems. The malicious link remained active on the NFTC website between February 27 and March 1, and by the time Fidelis alerted NFTC, the malware had already been removed.
The NFTC board comprises prominent figures and organizations, including the U.S. Ambassador to GATT, Rufus Yerxa, as well as executives from leading corporations such as Google, Amazon, and IBM, underscoring the significant interest in these trade discussions. While Fidelis reported no additional attacks against NFTC board members, it is believed the hackers were after a broader set of entities pertinent to the trade negotiations.
This incident marks the second revelation concerning APT10’s cyber-espionage activities within a week. A separate report by BAE Systems and PwC also indicated that APT10 has been targeting managed IT services providers globally to siphon off sensitive data.
From a tactical standpoint, the attack utilized several strategies outlined in the MITRE ATT&CK framework, notably Initial Access and Reconnaissance. By leveraging social engineering to gain initial access and gather information, the attackers effectively positioned themselves to launch future operations. As these tactics become increasingly sophisticated, it remains crucial for organizations to prioritize cybersecurity awareness and implement robust defenses against such evolving threats.