Spyware hidden in Chinese tax software was probably planted by a nation-state, say experts

The malware's sophistication, and the lack of an obvious quick payoff, seems to show it was planted by a nation-state, says cybersecurity firm Trustwave.

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Ken Dilanian

WASHINGTON — Earlier this year, a multinational technology vendor doing business in China was instructed by its Chinese bank to install software to pay local taxes.

The tax software was legitimate, but embedded inside it was a nasty surprise, according to a new report by a private security firm: A sophisticated piece of malware that gave attackers complete access to the company's network.

The firm, Trustwave, has dubbed the malicious software "GoldenSpy," and is warning others in a report released Thursday to search their networks for it.

It's the latest example of how companies and individuals should take special care when operating in China, said Brian Hussey, a former FBI cyber specialist and Trustwave's vice president for threat detection and response.

Click here to read the report.

"If you do operations in China and if somebody asks you to install something, we're urging additional vigilance," Hussey said. "We're urging everybody to check to see if they are impacted."

Trustwave did not identify its victim client, as is customary in the cybersecurity industry, other than to call it a technology vendor that does business in the U.S., U.K. and Australian defense sectors. Trustwave said the malware became active in April, and since it was detected early, the firm was not able to confidently say whether it is the work of the Chinese government or a criminal group.

But the malware's sophistication, and the lack of an obvious quick financial payoff, appears to point to a nation-state as the culprit, Hussey said.

"We don't know how widespread it is," Hussey said. "Was our client targeted because they have important information? Or is everybody targeted?"

Trustwave spotted the malware after it noticed some suspicious "beaconing" from the client's network, Hussey said.

The cybersecurity firm discovered that the spyware activated two hours after the tax software was installed, Hussey said, covertly installing a backdoor that allowed attackers to install other malware on the network.

The malicious code was extremely sophisticated, Hussey said. It had what he called a triple layer of persistence. It installed itself at two different locations on the network, and if one was deleted, the other one automatically kicked in. There was also a so-called protector module, which would download and install another copy in the event both were deleted.

The software beaconed to a remote server at random intervals to evade detection, Hussey said.

"At this point, we are unable to determine how widespread this software is," the report said. "We currently know of one targeted technology/software vendor and a highly similar incident occurring at a major financial institution, but this could be leveraged against countless companies operating and paying taxes in China or may be targeted at only a select few organizations with access to vital information."

Every major global power conducts digital espionage, using malicious software to penetrate corporate and government networks to surreptitiously gather information. But U.S. officials say China steals not just defense secrets but intellectual property to enrich Chinese companies, something they say American spy agencies don't do.

In March, cybersecurity company FireEye reported observing a large uptick in Chinese cyber economic espionage as U.S.-China relations worsened. In May, the U.S. accused China of hacking an attempt to get a leg up on a coronavirus vaccine. China denies that it engages in economic spying.

"The GoldenSpy campaign…has the characteristics of a coordinated Advanced Persistent Threat (APT) campaign targeting foreign companies operating in China," the Trustwave report says.