Connect with us

Hi, what are you looking for?



China-Linked Hackers Target U.S. Trade Group

A threat actor linked to China hijacked the website of a prominent U.S. trade association in an effort to deliver reconnaissance malware to individuals who accessed certain web pages.

A threat actor linked to China hijacked the website of a prominent U.S. trade association in an effort to deliver reconnaissance malware to individuals who accessed certain web pages.

Fidelis Cybersecurity published a report detailing the campaign on Thursday, just hours before a meeting between U.S. President Donald Trump and his Chinese counterpart, Xi Jinping.

The company noticed in late February that the website of the National Foreign Trade Council (NFTC) had been hacked and set up to serve malware in what is known as a watering hole attack, or a strategic web compromise. Experts believe the attack ended by March 2, when links injected into the NFTC website had been removed.

Evidence uncovered by investigators led them to believe that the attack was conducted by a China-linked cyber espionage group known as APT10, MenuPass and Stone Panda. Fidelis has dubbed the campaign Operation TradeSecret.

According to researchers, the hackers set up certain web pages of the NFTC website to serve a reconnaissance framework known as Scanbox. The tool has been used for several years, including in attacks aimed at U.S. organizations and the Uyghur population in China.

Scanbox has various plugins that allow attackers to collect information about the infected system and the software installed on it, and log keystrokes from the web browser. The harvested data can then be used to launch further attacks against the targeted individuals.

In the case of the NFTC, whose board of directors includes some of the largest private sector companies in the United States, APT10 targeted only specific web pages. One of them was a registration page for a board of directors meeting, which suggests that people or organizations expected to attend the meeting had been targeted.

“All organizations that have representatives on the board of directors of the NFTC — or those who would have a reason to visit the site — should investigate potentially impacted hosts using indicators provided in this report,” warned Fidelis. “Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks — such as spearphishing campaigns.”

Advertisement. Scroll to continue reading.

The security firm said it notified the lobbying group of the breach. SecurityWeek has reached out to NFTC for comment and will update this article if the organization responds.

Fidelis also reported seeing a similar campaign involving a fake website of Japan’s Ministry of Foreign Affairs. The APT10 attacks targeting Japan were also detailed in a report published this week by PwC UK and BAE Systems.

The research conducted by the two companies focused on attacks launched by APT10 against managed service providers (MSPs) in at least fourteen countries.

Related: China-Linked Group Uses New Malware in Japan Attacks

Related: Chinese Spying Drops in Volume, Becomes More Focused

Related: U.S. Firms Targeted by China Even After Cyber Deal

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.