Global Weekly Executive Summary, 09 NOV 2017

Chinese APTs Renew Corporate Espionage Operations Against US Companies

Two years after the US and China agreed not to conduct or support cyber operations against each other in ways that would affect the commercial sector, new threat intelligence research from PwC seems to indicate that China has recently renewed corporate espionage efforts targeting US companies efforts after a period of decreased activity.

Key Details

  • According to the White House Press Office Archives, “On September 24-25, 2015, President Barack Obama hosted President Xi Jinping of China for a State visit.” “The United States and China agree that neither country’s government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”
  • Recent examples of suspected Chinese cyberespionage operations targeting US companies include the CCleaner supply-chain malware incident and the KeyBoys cyberespionage campaign.
    • The CCleaner malware/backdoor attacks in September 2017 targeted US tech companies Google, Microsoft, Intel, and VMware and seems to have been created to collect corporate intelligence. For more details about the CCleaner, read our CSCC Forensics article on the CCleaner supply-chain malware.
    • The KeyBoys data theft campaign during Fall 2017 targeted Western organizations that included several unnamed US companies.
      • The KeyBoys is a known threat actor who has altered their pattern to target Western organizations, likely for corporate espionage.
      • The KeyBoys are thought to be “a hacking group based in or operating from China, and is mainly engaged in espionage activity” (PwC Blog)
      • The KeyBoys has also updated their TTPs and are now “using a specially crafted Microsoft Word document using the Dynamic Data Exchange (DDE) protocol to fetch/download remote payloads.” (InfoSecurity Magazine)
      • Microsoft issued an advisory for mitigating DDE attacks on 8 November 2017 after multiple threat actors recently began using this style of attack.

Significance

  • There was a decrease in corporate espionage activity from China after the 2015 US-China agreement to cease cyberespionage operations, including intellectual property theft, that would affect private sector companies.
  • On 4 October 2017, the US Department of Justice and the Chinese counterpart met and reaffirmed both countries’ support of the 2015 agreements.

Sources:

The White House Press Office Archives, FACT SHEET: President Xi Jinping’s State Visit to the United States

Wired, CHINA TESTS THE LIMITS OF ITS US HACKING TRUCE

US Department of Justice, Office of Public Affairs News Release, First U.S.-China Law Enforcement and Cybersecurity Dialogue

InfoSecurity Magazine, Chinese KeyBoy Group Unlocks More Victim Networks

PwC Blog, The KeyBoys are back in town

PwC, The KeyBoys are back in town