Cyber Incident Victim: National Foreign Trade Council
Date:
Feb 2017
Location:
United States of America
Summary
Chinese state-linked hackers targeted a major trade council's board members, including representatives from prominent technology firms, using a reconnaissance tool known as Scanbox injected into the organization's website registration page. The operation aimed to gather intelligence on individuals involved in trade policy discussions, enabling potential future spearphishing campaigns by exploiting vulnerabilities in targeted systems. While no successful breaches were confirmed, the attackers sought application versions and deployed keyloggers to facilitate subsequent espionage efforts. The incident, attributed to the APT10 group, reflected broader targeting patterns observed against government and private-sector entities in allied nations. The compromised organization collaborated with cybersecurity experts and law enforcement to mitigate the threat, removing the malicious link after the operation concluded.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between 27 February and 1 March 2017, a hacking operation designated "Operation TradeSecret" compromised the National Foreign Trade Council (NFTC) website registration pages using a reconnaissance tool called Scanbox. The attackers injected malicious links into the site to deploy Scanbox on the devices of visitors, particularly targeting individuals registering for a 7 March 2017 board of directors meeting in Washington DC. The NFTC's board included representatives from major technology and financial firms such as Google, Amazon, Microsoft, IBM, Visa, eBay, and Cisco. Scanbox collected technical information about victims' systems, including application versions and vulnerabilities, to facilitate future targeted attacks. Security firm Fidelis Cybersecurity identified the compromise and noted the tool’s historical association with Chinese state-sponsored hacking groups. No successful data exfiltration or follow-on attacks were confirmed during this phase.
Fidelis Cybersecurity alerted the NFTC, which collaborated with the firm and the FBI to remove the malicious links by 2 March 2017. Investigators attributed the operation with high confidence to the advanced persistent threat group Stone Panda (APT10), which had previously been implicated in cyber-espionage campaigns against Western targets. The incident coincided with US-China trade policy discussions, as several NFTC-affiliated individuals were involved in shaping the Trump administration’s trade agenda. Parallel attacks against Japanese government officials were also identified. While the malware was eradicated before the scheduled board meeting, Fidelis warned that harvested reconnaissance data could enable subsequent spearphishing campaigns against attendees. The activity raised questions about the status of the 2015 US-China cyber-espionage accord but did not conclusively violate its terms due to the operation’s reconnaissance-focused nature.