The emergence of a new, extremely sophisticated spyware has suggested that China is infiltrating foreign companies working on its soil with tools of surveillance. A report by cyber security firm Trustwave has detailed a tool called ‘GoldenSpy’, which it believes is an act of Chinese nation-backed threat actors planting sophisticated cyber surveillance algorithms in seemingly legitimate software. GoldenSpy, as Trustwave has claimed, was planted in a copy of a Chinese accountancy software, and may have been used by an unnamed technology company that works in American, Australian and British Defence sectors.
Brian Hussey, VP of threat detection and response at Trustwave, and a former FBI cyber crime specialist, told NBC, “We don’t know how widespread it is. Was our client targeted because they have important information? Or is everybody targeted?” While Trustwave has not managed to conclusively judge whether this was an act of a criminal group or backed by the Chinese government, the firm’s report speculates that the sophistication of the malware coupled with the lack of apparent financial motives indicate state-backed action. Alleging that GoldenSpy had all the signs of an Advanced Persistent Threat (APT) hacking campaign, Hussey further called for “additional vigilance”, and urged everybody (i.e. foreign companies doing business in China) to check if they’re impacted by GoldenSpy.
The spyware in question is reportedly quite sophisticated in nature. After the said accounting software was installed by the mentioned technology firm, the tool took two hours to activate. It installed itself in two different nodes of a network, so that the second node would automatically start operating if the first was detected and deleted. Trustwave also states that after installing, GoldenSpy covertly installed a backdoor in the system, which would allow remote attackers to install more malware in a system’s framework, presumably to steal more data. To prevent detection, GoldenSpy beaconed a remote terminal in random and irregular intervals, and even had what Trustwave calls a ‘protector’ module, which would use the previously installed backdoor to re-download the spyware in case the entire setup was deleted.
“We currently know of one targeted technology/software vendor and a highly similar incident occurring at a major financial institution, but this could be leveraged against countless companies operating and paying taxes in China. It may also be targeted at only a select few organisations with access to vital information,” said Hussey in Trustwave’s report.
While China has officially denied such aggressive cyber espionage efforts, numerous cyber security firms have repeatedly spotted such breaches by alleged state-backed threat actors. While GoldenSpy is a seemingly unknown entity right now, it remains to be seen if the tool is affecting more companies on a larger scale, in which case this may present a greater cyber threat to organisations based in various other nations as well.