Elite Chinese hackers target board directors at some of the world's largest firms

The APT 10 hacking group has struck again, this time using a watering hole attack to compromise the National Foreign Trade Council website and gather sensitive data about its directors.
Written by Danny Palmer, Senior Writer on

Hackers managed to inject the NFTC website with malicious code in a watering hole attack

Image: iStock

Nation state level hackers based out of China have targeted directors at some of the world's largest firms by compromising the website of a global trade lobby group.

The sophisticated nature of the campaign against the Washington-based National Foreign Trade Council has led cybersecurity researchers at Fidelis to the conclusion that the attacks were carried out by the Chinese APT10 hacking group.

It's the second time in a week that an APT10 campaign has come to light, with PwC also detailing how the group has been targeting managed IT services providers across the globe in order to steal sensitive data.

The latest campaign, dubbed Operation Tradesecret, has been detailed in a new report, and has come to light just ahead of US President Donald Trump's meeting with Chinese President Xi Jinping. The two leaders are expected to discuss cyber warfare and cybersecurity. The number of cyberattacks emerging from China has declined recently, although the incidents that are taking place are more sophisticated and targeted.

Fidelis security researchers say specific pages of NFTC's website were injected with a watering hole attack link, designed to run malware to compromise a very precise set of targets: those registering for specific meetings at the NFTC, such as a board of directors meeting in Washington DC.

The targeted individuals hold key roles in some of the largest corporations in the world and gaining access to their personal data and sensitive corporate information would be a boon for hackers looking for ways to steal company secrets.

This particular campaign took place between February 27 and March 1, with malicious links on the NFTC website serving Scanbox malware, a well-known web reconnaissance tool that has been used in cyberespionage campaigns dating back to at least 2014. It has also been associated with campaigns linked to the Chinese government.

Cyberespionage capabilities of Scanbox -- which was also used in attacks against the US Office of Personnel Management and Anthem Healthcare -- include monitoring which websites were viewed by the victim as well as their operating system, screen size, and location, along with keylog monitoring.

The latter potentially enables attackers to make off with login details and passwords for internal networks and even compromise others using phishing attacks.

Indeed, Fidelis notes how the waterhole attack against the National Foreign Trade Council is likely to be a precursor for an upcoming sustained campaign against targets -- and those affected should be mindful.

"The reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that such personnel will be subject to further targeted attempts to compromise them -- for example, through a spearphishing campaigns," the report warns.

The malicious link itself was removed from the NFTC website on March 2 and Fidelis briefed the organisation about the incident shortly after it was discovered.

The APT10 hacking collective has been focusing on espionage since 2009 and has evolved from targeting US defence firms, as well as the technology and telecommunications sectors, to organisations in multiple industries across the globe.

The group was behind the Poison Ivy malware family, and today uses custom tools capable of compromising organisations and their customers, as well as stealing large amounts of data.


Editorial standards