A multinational technology company conducting business in China found a hidden piece of malware inside a tax software it was instructed to install in order pay local taxes, NBC News reports.
The secret malware gave hackers total access to the company’s network, according to a private security firm who found it.
The company hacked was not named, but the firm that found it, Trustwave, published a report Thursday warning other companies how to search to see if they are victims of the unwanted malware.
Trustwave named the malware “GoldenSpy.” The security firm said it was extremely sophisticated.
“The GoldenSpy campaign…has the characteristics of a coordinated Advanced Persistent Threat (APT) campaign targeting foreign companies operating in China,” the Trustwave report states. “At this point, we are unable to determine how widespread this software is. We currently know of one targeted technology/software vendor and a highly similar incident occurring at a major financial institution, but this could be leveraged against countless companies operating and paying taxes in China or may be targeted at only a select few organizations with access to vital information.”
Trustwave said its client was instructed by its Chinese bank to install the software, which was legitimate, in order to pay local taxes. The malware was embedded inside.
Brian Hussey, a former FBI cyber specialist and Trustwave’s vice president for threat detection and response, said companies need to be hyper aware when conducting business in China.
“If you do operations in China and if somebody asks you to install something, we’re urging additional vigilance,” Hussey told NBC News. “We’re urging everybody to check to see if they are impacted.”
Trustwave said it identified the unwanted malware quickly, so it is not clear whether it was implanted by the Chinese government or a criminal group.
Hussey suggests the government planted GoldenSpy because of the malware’s sophistication and lack of any funds being stolen.
“We don’t know how widespread it is,” Hussey said. “Was our client targeted because they have important information? Or is everybody targeted?”
The company knew something was off after it noticed some suspicious “beaconing” from its network, Hussey said.
Trustwave said the spyware kicked into action just two hours after the tax software was installed. GoldenSpy created a “backdoor” that allowed cyber attackers to install other types of malware on the network.
Hussey said the malware installed itself in two different places on the network, just in case one was deleted. It also had a function that would download and install the program again if both copies were deleted.