Chinese hacking group APT10 linked to global trade target

A prominent U.S. foreign trade lobbying group was breached by the Chinese hacking group APT10 in late February, and the incident appears to be a part of the ongoing Operation Cloud Hopper campaign, which targeted organizations through third-party managed service providers.

Security researchers at Fidelis Cybersecurity discovered the breach of the National Foreign Trade Council (NFTC) while doing a "deep dive" into ongoing activities attributed to the Chinese hacking group.

"APT10, a group that's universally associated with Chinese intelligence, was going after soft targets in advance of the trade summit happening [April 6], presumably to get intelligence and a leg up on the negotiations that are going to be taking place in Mar a Lago [in Palm Beach, Fla.]," John Bambenek, threat research manager at Fidelis Cybersecurity, based in Bethesda, Md., told SearchSecurity. Though, he added: "It's not atypical in the slightest. It would surprise me greatly if our intelligence agencies weren't doing similar to the Chinese and Chinese entities in advance of this meeting, as well."

"Based on our observations, we estimate that it is highly probable that this activity -- which we're calling 'Operation TradeSecret' -- targeted key private-sector players involved in lobbying efforts around United States' foreign trade policy," Fidelis wrote in its report. "Subsequent research has led us to recover artifacts that indicate that a similar operation was conducted by threat actors targeting government officials in Japan. The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10 (aka Stone Panda) in the threat research community."

Fidelis observed a targeted operation in which Scanbox reconnaissance malware was used to target users registering for specific meetings at the NFTC, noting "Scanbox has exclusively been known to have been used by threat actors associated with, or sponsored by, the Chinese government."

However, Bambenek said the Chinese hacking group attack on NFTC should not be considered the kind of economic espionage that was addressed by the Obama administration last year, noting that this type of activity is expected of intelligence agencies.

"The information gleaned could be used to target individuals and organizations and commercial targets to steal intellectual property," Bambenek said. "As an analyst, I don't see that as the motivation, but I don't have sufficient facts at hand to make the counterclaim on that point."

"There are some people claiming Chinese economic espionage is back. The agreement [former] President [Barack] Obama had with President Xi Jinping was for intellectual property theft for the benefit of commercial enterprises. That theoretically could happen in this case, [but] we have no intelligence information that that's what they're doing. This is more traditional espionage," Bambenek said. "My gut tells me this is espionage around economic and trade policy in advance of a meeting discussing economic and trade policy so that China can negotiate harder. So, it's not a breach of the agreement. [While] others differ, I tend to think that that's more an attempt to grab headlines in an unjustified fashion. I think this story sells itself, just calling it what it is: It's economic espionage for foreign policy purposes, and that's what intelligence agencies do."

The Chinese hacking group's use of third-party managed service providers to leverage attacks against softer, nongovernment targets is troubling. "We've known intelligence agencies -- and for that matter, criminal operators -- to go after third parties as a way to get into their true targets," Bambenek said.

"Compromising a trusted third party has become the most effective way for hackers to infiltrate an organization's networks and wreak havoc at the expense of its bottom line and reputation. In recent years, we've seen it with Target and a compromised HVAC company, with the Oracle MICROS POS [point-of-sale] breach that impacted a number of retail and hospitality customers, and countless other examples," Fred Kneip, CEO of Denver-based CyberGRX, told SearchSecurity. "Operation Cloud Hopper, which preys on organizations' trust of cloud service providers they rely on to drive their business, is the latest example of the evolution of third-party cyber-risk. Until the industry learns to take a more collaborative approach to managing third-party cyber-risk, it will remain the most effective vector for hackers for the simple reason that it's easiest way to breach the network."

Andres Zeller, global solutions architect at domain name system security provider Infoblox, based in Santa Clara, Calif., said the Chinese hacking group was using a "very disturbing exploit" of the targeted managed service providers.

"The implication is that compromise of cloud operations gives you access to use credentials to then compromise tenants, and then infect and cross the 'blood-brain' barrier of the cloud ecosystem. At that point, multi-tenancy and data separation become a fallacy," Zeller told SearchSecurity. "While it may not always be possible to prevent initial infection, rapid containment is a key tenet of incident response for cybersecurity engineers."