Chinese cyber spies likely culprits in hack on US trade group


In this Aug. 16, 2016 photo, attendees walk past a live visualization of internet attacks across China during the 4th China Internet Security Conference (ISC) in Beijing. A Chinese technology regulator has announced Sunday, Jan 23, 2017 a year-long campaign to root out services that allow people in the country to circumvent the government's Internet censorship. (AP Photo/Ng Han Guan)

Foreign actors very possibly associated with the Chinese-backed hacker group APT10 targeted trade policy lobbyists with reconnaissance malware in late February, according to a report released April 6.

According to the findings of Fidelis Cybersecurity, a web reconnaissance tool known as “Scanbox” was part of an information-gathering campaign aimed at the National Foreign Trade Council’s board of directors — private-sector participants in conversations on the Trump administration’s trade policy formulation.

As explained in the “Operation TradeSecret” report, a link on the NFTC website registration page for a board of directors meeting in Washington, D.C., led to a remote script allowing the Scanbox framework to run on the computer of anyone who visited the web page. To date, the use of Scanbox has been exclusive to threat actors associated with, or sponsored by, the Chinese government.

The Scanbox capabilities include the ability to determine applications running on the target machine and to run JavaScript keyloggers. Typically, this information is gathered to enable more compromising spear-phishing campaigns.

Fidelis says it conveyed its findings to NFTC in early March, and its report includes technical analysis of the Scanbox deployment to allow other researchers to extend visibility into these actions.

The entire report can be viewed on