Written by Shannon Vavra
When a Chinese bank asked a new client to use a specific kind of tax software as a condition of doing business, the company didn’t know that the tax technology came with a backdoor that would give hackers a new way in, according to research from Trustwave.
The Chinese bank had told the U.K.-based defense contractor that the Chinese government required firms to use that specific software tool to pay local taxes. However, findings published Tuesday by the security vendor Trustwave spotlight how the tax software’s developer has relied on a number of subcontractors to build software flaws into other software tools for years.
The programs are required to be used through the Chinese government’s Chinese Golden Tax Project, a tax system launched in the 1990s meant to streamline tax administration, according to Trustwave. The security company did not identify the Chinese bank nor the U.K.-based defense contractor.
The revelation that Beijing mandates the use of specific technologies that are capable of executing arbitrary code against customers comes amid U.S. intelligence officials’ warnings that businesses in China may act as a vector for espionage. In particular, the U.S. government has sought to restrict the business of Chinese telecommunications companies, including Huawei and ZTE, in the U.S. over national security concerns, namely that Huawei has been alleged to have a backdoor into mobile networks.
The network of companies behind the tax software scheme itself can be traced back to the Chinese government, according to Trustwave. Trustwave is not attributing the campaign to the Chinese government, but the operation resembles state-backed intelligence campaigns, Brian Hussey, the company’s vice president of cyber threat detection and response, told CyberScoop.
“The traits of a nation-state attack exist: it’s intel gathering, it’s not loud flashy malware, it’s focused and very quiet,” Hussey, who previously led a malware analysis and counterintelligence unit at the FBI, told CyberScoop. “I know that the Chinese government very frequently uses their state-owned private organizations, their state-owned university system for just this kind of work.”
The nefarious tax software, called Intelligent Tax, was developed by the Aisino Corporation, a subsidiary of the China Aerospace Science & Industry Corporation Limited (CASIC), according to Trustwave. Aisino used subcontractors, called Chenkuo Network Technology and NouNou Technologies, to produce the intelligence-gathering tools, known as GoldenSpy and GoldenHelper, researchers said.
China’s Golden Tax Project software was developed by Aisino in collaboration with scientists from the Harbin Institute of Technology and Beijing University of Posts and Telecommunications, according to South China Morning Post. Both universities have been linked with the Chinese Ministry of State Security and other Chinese intelligence outfits, the Australian Strategic Policy Institute reported.
It’s not clear how involved or aware the banks or the companies are of the backdoors and their capabilities, Hussey said, adding that in his company’s efforts to get in touch with them, they either received no response, or found company contact emails bounced back.
Aisino, CASIC, the Chinese Foreign Ministry, the FBI, and the universities did not immediately return request for comment.
A sweeping campaign?
Although Intelligent Tax does function correctly, it also silently deploys a backdoor two hours after initial installation. That technique is employed in an apparent effort to avoid detection and maintain access to targets, the researchers say.
Other techniques include randomizing the backdoor’s communications with its command and control server, which can help it evade detection, the researchers noted. The software also is difficult to remove because it installs two versions of itself, and downloads a new version of itself if it is deleted.
The campaign is extensive, Hussey said, indicating it has targeted dozens of companies across Europe, the Middle East, the U.S., Canada, and Australia, in sectors ranging from defense contracting and hospitality, to finance and sports, Hussey told CyberScoop.
The attackers appear to be actively maintaining their access to targets. Last month, for instance, the actors began to update GoldenSpy, Hussey told CyberScoop. First they worked to quietly remove log entries, registry entries, files, folders, and the uninstaller, all without notification. Then they deployed a new backdoor to evade detection, Hussey said.
While the actor behind the cyber-operation may be unknown, the requirement that these mysterious products be used is a reminder that companies should take caution with their security plans if doing business in China, Hussey said.
“It’s not like it was just a random email that installed this. It was a relationship and trust built over time [with the bank]. It’s almost like social engineering on steroids, because it’s not just a well crafted phishing email. It’s months and months of relationship building and trust building,” Hussey said. “It’s a very very clever deployment mechanism.”