Chinese hackers starting to return focus to U.S. corporations

The 2015 agreement to curb corporate espionage looks to be falling by the wayside, according to new research from PwC.
President Barack Obama and President Xi Jinping of China hold a press conference at the Great Hall of the People in Beijing, China, Nov. 12, 2014. (Official White House Photo by Chuck Kennedy)

Security researchers recently found a hacking group with suspected ties to the Chinese government engaged in what appears to be corporate espionage against multiple U.S. companies.

The findings underscore an emerging, albeit opaque trend in which hackers linked to Beijing are conducting economic, cyber-enabled espionage, despite the Chinese Communist Party agreeing to stop such activity against the U.S. as part of a 2015 agreement between Chinese President Xi Jinping and U.S President Barack Obama.

Experts say the 2015 truce resulted in a noticeable downturn in economic espionage. But there are signs the agreement may be deteriorating under the Trump administration. 

According to recent research by multinational services giant PwC, a hacking group known as “KeyBoy” has returned to the fold with a data theft campaign aimed primarily at Western organizations. The operation, PwC Threat Intelligence Analyst Bart Parys told CyberScoop, shows the continued technical development of a previously reported group that has apparently taken on new and different targets.


“All of the initial uploads for the malware to VirusTotal were from Western countries,” said Parys. “As for volume of scale, from what we can tell several Western organizations were targeted at least, but it hasn’t been possible to get any further visibility into specific victims or a sense of the scale … most uploads to the VirusTotal scanning service were initially from the U.S.”

Prior research by CitizenLab, a research institute focused on digital privacy and surveillance issues, provided evidence that KeyBoy was involved in overlapping espionage operations in 2016 aimed broadly at Chinese minority groups; the timing aligned closely with Beijing’s concerns about unrest in the Tibetan community.

As part of this noticed activity, KeyBoy sent spearphishing emails to exiled, minority group leaders that contained custom backdoor implants. The implants would exploit two outdated, well-recognized software vulnerabilities in RTF (rich-text-format) files, which are used in Microsoft Word. One of those vulnerabilities had been patched by an update originally made available in 2012.

CitizenLab found that between 2013 and 2016, KeyBoy had seemingly invested resources in updating and improving their hacking toolkit and other intrusion techniques. The two .RTF vulnerabilities exploited by KeyBoy last year were subsequently connected to data breaches affecting civil society groups engaged in Hong Kong, Taiwan, and the Uighur community — all of which are relevant to Beijing’s security interests.

CitizenLab did not respond to a request for comment regarding the latest KeyBoy appearance.


The sighting by PwC is especially notable because it suggests a new interest area for the hackers. Although domestic surveillance was already associated with this threat actor, foreign corporate espionage was not in their repertoire.

“While the targeting is indeed not specifically consistent with earlier KeyBoy campaigns, the evidence we found, mainly in their TTPs (tactics, tools and procedures), does allow us to say with high probability that this is the same threat actor,” Parys said. “Attack groups definitely evolve over time, and developers may move around between groups, taking new techniques with them.”

In the case identified by PwC, KeyBoy did not need to resort to a software vulnerability. The group exploited a feature within Microsoft Word, specifically attached to the Dynamic Data Exchange (DDE) protocol, to covertly deliver malware.

This DDE technique was publicly disclosed by cybersecurity firm SensePost in early October. Since then, multiple groups have adopted the methodology.

Parys explained why both criminal and nation-state hackers are today relying on the DDE work around.


“One of the main reasons is that antivirus software will be less likely to alert you about an Office file with DDE, as opposed to an Office document containing a malicious macro or an exploit,” said Parys. “The latter are harder to implement as well, whereas DDE is much easier.”

PwC’s research looked at data gathered between August and October. The evidence suggests KeyBoy remains active and is currently sending phishing emails to U.S. companies.

Latest Podcasts