Researchers at Fidelis Security have revealed data suggesting Chinese state-funded actors engaged in acts of industrial espionage against a number of major US corporations, including the targeting of employees involved in lobbying the Trump administration on trade policy. The reveal comes just as China's president, Xi Jinping, begins his visit with President Donald Trump.

Fidelis' post shares details of a malware campaign that caused a number of websites—including that of the National Foreign Trade Council—to deliver a JavaScript-based reconnaissance tool called "Scanbox" to site visitors. A similar effort, this one coming from a fake site pretending to belong to the Japanese Foreign Ministry, was also detected.

Scanbox has been previously detected in a number of espionage campaigns, including one recently targeting a political site focused on China's Uighur minority. The forensic details of this new campaign led Fidelis researchers to believe it was conducted by Chinese government or government-funded attackers associated with the threat group known by researchers as APT10, or "Stone Panda."

Similar activity has been tracked by PwC and BAE Systems since late 2016, largely targeting Japanese organizations by attacking their IT-managed service providers to gain access to their networks. Past attacks using the Scanbox framework have been conducted by other Chinese state actor threat groups, including the espionage campaigns against Forbes in 2014 and 2015 and the breach at the health provider Anthem.

Scanbox is an entirely Web-based tool that can conduct a number of reconnaissance tasks to assist in targeted attacks later. "It can be used to determine the versions of applications, as well as other selected tools, such as JavaScript keyloggers, running on the target's machine," Fidelis reported. "The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals. These campaigns can then exploit specific vulnerabilities known to exist within the user's applications."

Between February 27 and March 1, the attackers were able to inject code into a number of pages on the website of the NFTC that retrieved the Scanbox JavaScript tool from a server at the domain personanddog.info. Based on DNS data, the server behind the domain was hosted by the US-based GorillaServers Inc., a dedicated server provider in Los Angeles. (GorillaServers also hosted the domain used in the campaign targeting Uighur activists.) One link to the tool was associated with an invitation to register for a March 7 NFTC board of directors meeting.

NFTC has been heavily involved in lobbying efforts regarding the Trump administration's trade policy, including an effort urging action on Trump's appointee for US Trade Representative, Robert Lighthizer. NFTC previously supported the Trans Pacific Partnership and has been critical of Trump's travel ban executive orders.