A U.S. cybersecurity company has uncovered a malicious script on the website of the National Foreign Trade Council, a public policy and lobbying organization devoted to U.S. trade policy. And John Bambenek, threat intelligence manager for Fidelis Cybersecurity, whose team found the script, says he is “highly confident” the script was placed there by Chinese state-sponsored actors.
The script is a tool known as a Scanbox. It has, to date, been used only by groups widely known to be affiliated with the Chinese government. “There's no evidence that anybody else has commandeered or used [Scanbox],” Bambenek says.
The script provides information about a victim's operating system, IP address, and software programs, which attackers can later use in targeted phishing campaigns. For example, if attackers learn that someone is using a browser with known software holes, they may target that person with an exploit that the hackers know will work for the user’s particular version.
Fidelis believes this particular operation, which was observed between 27 February and 1 March, was conducted as espionage in preparation for Chinese president Xi Jinping's meeting with U.S. President Trump today and Friday. Bambenek believes the tool was being used to collect intelligence about trade policy rather than to steal trade secrets from U.S. companies.
Hidden within the National Foreign Trade Council’s site, the Scanbox script ran whenever a visitor navigated to a page with a registration form for an upcoming Board of Directors meeting. That means the script, which has been removed, likely targeted board members, many of whom are also from major U.S. companies.
Bambenek calls Scanbox “a fairly lightweight tool” that is primarily used for gathering information. Chinese groups have relied on it for reconnaissance since at least 2014. Once a victim closes the tab or browser in which Scanbox is operating, they are no longer affected.
Fidelis was alerted to the script when cybersecurity programs it had developed were automatically triggered by software that appeared to be Scanbox. Fidelis says it has shared the information about Scanbox with the Federal Bureau of Investigation.
Mike Buratowski, vice president of cybersecurity services with Fidelis, says nonprofits and think tanks are increasingly targeted by state-sponsored attackers because they have access to privileged information and are in touch with government agencies.
“The reality is that almost every government in the world has think tanks and policy organizations, and all of these are really the soft targets of government,” Bambenek says.