ilolab - Fotolia

Chinese hacking group APT10 linked to global trade target

Evidence points to Chinese hacking group APT10 conducting economic espionage in the breach of a trade policy group prior to U.S.-China trade summit talks in Florida.

A prominent U.S. foreign trade lobbying group was breached by the Chinese hacking group APT10 in late February, and the incident appears to be a part of the ongoing Operation Cloud Hopper campaign, which targeted organizations through third-party managed service providers.

Security researchers at Fidelis Cybersecurity discovered the breach of the National Foreign Trade Council (NFTC) while doing a "deep dive" into ongoing activities attributed to the Chinese hacking group.

"APT10, a group that's universally associated with Chinese intelligence, was going after soft targets in advance of the trade summit happening [April 6], presumably to get intelligence and a leg up on the negotiations that are going to be taking place in Mar a Lago [in Palm Beach, Fla.]," John Bambenek, threat research manager at Fidelis Cybersecurity, based in Bethesda, Md., told SearchSecurity. Though, he added: "It's not atypical in the slightest. It would surprise me greatly if our intelligence agencies weren't doing similar to the Chinese and Chinese entities in advance of this meeting, as well."

"Based on our observations, we estimate that it is highly probable that this activity -- which we're calling 'Operation TradeSecret' -- targeted key private-sector players involved in lobbying efforts around United States' foreign trade policy," Fidelis wrote in its report. "Subsequent research has led us to recover artifacts that indicate that a similar operation was conducted by threat actors targeting government officials in Japan. The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10 (aka Stone Panda) in the threat research community."

Fidelis observed a targeted operation in which Scanbox reconnaissance malware was used to target users registering for specific meetings at the NFTC, noting "Scanbox has exclusively been known to have been used by threat actors associated with, or sponsored by, the Chinese government."

However, Bambenek said the Chinese hacking group attack on NFTC should not be considered the kind of economic espionage that was addressed by the Obama administration last year, noting that this type of activity is expected of intelligence agencies.

"The information gleaned could be used to target individuals and organizations and commercial targets to steal intellectual property," Bambenek said. "As an analyst, I don't see that as the motivation, but I don't have sufficient facts at hand to make the counterclaim on that point."

"There are some people claiming Chinese economic espionage is back. The agreement [former] President [Barack] Obama had with President Xi Jinping was for intellectual property theft for the benefit of commercial enterprises. That theoretically could happen in this case, [but] we have no intelligence information that that's what they're doing. This is more traditional espionage," Bambenek said. "My gut tells me this is espionage around economic and trade policy in advance of a meeting discussing economic and trade policy so that China can negotiate harder. So, it's not a breach of the agreement. [While] others differ, I tend to think that that's more an attempt to grab headlines in an unjustified fashion. I think this story sells itself, just calling it what it is: It's economic espionage for foreign policy purposes, and that's what intelligence agencies do."

The Chinese hacking group's use of third-party managed service providers to leverage attacks against softer, nongovernment targets is troubling. "We've known intelligence agencies -- and for that matter, criminal operators -- to go after third parties as a way to get into their true targets," Bambenek said.

"Compromising a trusted third party has become the most effective way for hackers to infiltrate an organization's networks and wreak havoc at the expense of its bottom line and reputation. In recent years, we've seen it with Target and a compromised HVAC company, with the Oracle MICROS POS [point-of-sale] breach that impacted a number of retail and hospitality customers, and countless other examples," Fred Kneip, CEO of Denver-based CyberGRX, told SearchSecurity. "Operation Cloud Hopper, which preys on organizations' trust of cloud service providers they rely on to drive their business, is the latest example of the evolution of third-party cyber-risk. Until the industry learns to take a more collaborative approach to managing third-party cyber-risk, it will remain the most effective vector for hackers for the simple reason that it's easiest way to breach the network."

Andres Zeller, global solutions architect at domain name system security provider Infoblox, based in Santa Clara, Calif., said the Chinese hacking group was using a "very disturbing exploit" of the targeted managed service providers.

"The implication is that compromise of cloud operations gives you access to use credentials to then compromise tenants, and then infect and cross the 'blood-brain' barrier of the cloud ecosystem. At that point, multi-tenancy and data separation become a fallacy," Zeller told SearchSecurity. "While it may not always be possible to prevent initial infection, rapid containment is a key tenet of incident response for cybersecurity engineers."

What steps should soft targets take?

Bambenek warned of the threats being targeted through third-party entities -- threats that are still being played out not just in the U.S., but also in "France, Germany and a lot of other places." Whether the threat is from Chinese hacking or from Russia, North Korea, Iran or elsewhere, "if you're a government, you've got a lot of soft targets: think tanks, trade associations, political parties," Bambenek said.

"These are places where policy is debated and, in some senses, decided before it even gets to legislators and executive mansions and so on. It has real intelligence value that is debated and discussed in these entities. And, as a result, they're appealing targets for foreign intelligence services, but they're not government; they don't get the same level of protection for what would be obvious reasons."

"Government leaders need to be aware of the risks these entities pose," Bambenek said -- not just that that they exist, but also how they can protect themselves. Other industries have threat-sharing groups, but there aren't any threat-sharing groups for political parties and think tanks.

"I would hope that the RNC [Republican National Committee] and the DNC [Democratic National Committee], at some point, learn how to at least cooperate in terms of sharing threats from foreign actors with each other, because I may have my preferred political flavor and they've got theirs, but in the end, we're all Americans and we'd rather us decide our issues instead of Russia, China, or XYZ."

"They ought to be setting up mechanisms to cooperate and share data. A lot of the vulnerabilities that these entities use really revolve on things that are relatively simple to fix: good password management, patching all of your stuff, security awareness, not clicking on dumb things, avoiding phishing," Bambenek said. "Let's get the simple stuff right, and that goes a long way."

Next Steps

Find out more about managing third-party vendor security

Learn about the need for cloud encryption to protect against breaches

Read about how protected health information is exploited on the deep web

Dig Deeper on Risk management

Enterprise Desktop
Cloud Computing