Suspected Chinese Malware Found On U.S. Trade Group Website

Fidelis Cybersecurity uncovered the Scanbox script in advance of Chinese president Xi Jinping’s visit to the United States

2 min read
Fidelis Cybersecurity uncovered the Scanbox script in advance of Chinese President Xi’s visit to the U.S.
Photo: Nicolas Asfouri/AFP/Getty Images

A U.S. cybersecurity company has uncovered a malicious script on the website of the National Foreign Trade Council, a public policy and lobbying organization devoted to U.S. trade policy. And John Bambenek, threat intelligence manager for Fidelis Cybersecurity, whose team found the script, says he is “highly confident” the script was placed there by Chinese state-sponsored actors.

The script is a tool known as a Scanbox. It has, to date, been used only by groups widely known to be affiliated with the Chinese government. “There's no evidence that anybody else has commandeered or used [Scanbox],” Bambenek says.

The script provides information about a victim's operating system, IP address, and software programs, which attackers can later use in targeted phishing campaigns. For example, if attackers learn that someone is using a browser with known software holes, they may target that person with an exploit that the hackers know will work for the user’s particular version.

Fidelis believes this particular operation, which was observed between 27 February and 1 March, was conducted as espionage in preparation for Chinese president Xi Jinping's meeting with U.S. President Trump today and Friday. Bambenek believes the tool was being used to collect intelligence about trade policy rather than to steal trade secrets from U.S. companies.

Hidden within the National Foreign Trade Council’s site, the Scanbox script ran whenever a visitor navigated to a page with a registration form for an upcoming Board of Directors meeting. That means the script, which has been removed, likely targeted board members, many of whom are also from major U.S. companies.

Bambenek calls Scanbox “a fairly lightweight tool” that is primarily used for gathering information. Chinese groups have relied on it for reconnaissance since at least 2014. Once a victim closes the tab or browser in which Scanbox is operating, they are no longer affected.

Fidelis was alerted to the script when cybersecurity programs it had developed were automatically triggered by software that appeared to be Scanbox. Fidelis says it has shared the information about Scanbox with the Federal Bureau of Investigation.   

Mike Buratowski, vice president of cybersecurity services with Fidelis, says nonprofits and think tanks are increasingly targeted by state-sponsored attackers because they have access to privileged information and are in touch with government agencies.

“The reality is that almost every government in the world has think tanks and policy organizations, and all of these are really the soft targets of government,” Bambenek says.

The Conversation (0)

How Police Exploited the Capitol Riot’s Digital Records

Forensic technology is powerful, but is it worth the privacy trade-offs?

11 min read
Vertical
 Illustration of the silhouette of a person with upraised arm holding a cellphone in front of the U.S. Capitol building. Superimposed on the head is a green matrix, which represents data points used for facial recognition
Gabriel Zimmer
Green

The group of well-dressed young men who gathered on the outskirts of Baltimore on the night of 5 January 2021 hardly looked like extremists. But the next day, prosecutors allege, they would all breach the United States Capitol during the deadly insurrection. Several would loot and destroy media equipment, and one would assault a policeman.

No strangers to protest, the men, members of the America First movement, diligently donned masks to obscure their faces. None boasted of their exploits on social media, and none of their friends or family would come forward to denounce them. But on 5 January, they made one piping hot, family-size mistake: They shared a pizza.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}