China Spies on Global Shipping Using Pre-Infected Hardware

July 11, 2014 Updated: July 10, 2014

Chinese products for use in global shipping are sold with spy software already installed. Once connected, they begin collecting files and allow off-site agents to access and control infected computer networks.

Security researchers at San Mateo, Calif.-based TrapX uncovered this latest ploy in a larger scale Chinese spying campaign. The attack, which they’ve dubbed Zombie Zero, is targeting high-level networks in the shipping and logistics industry by installing spyware on handheld scanning devices made by a Chinese company. These devices are used to track logistical information of goods in transit.

“The level of access they had on the system was 100 percent. They could do whatever they wanted,” said Carl Wright, general manager at TrapX, in a phone interview. This means the handheld scanners are just a way to take control of the whole logistics and corporate computer system.

Wright, who is the former chief information security officer of the U.S. Marine Corps, said the nature of the attack is concerning.

Since the attack targets the global shipping and logistics industry, the cyberspies now have information on items being shipped and also could have altered corporate and shipping data at will.

The cyberspies can gain access to all corporate financial data, customer data, and shipping data on the infected systems. They also steal a large amount of financial data, which according to TrapX gives them “complete situational awareness” into shipping and logistics operations, globally.

New Trend

Even more serious, however, is that the breach was done through products infected at the manufacturing level—before they were even sold. This new trend in cyberespionage introduces a difficult threat to resolve.

While consumer products have been infected at the manufacturer, Wright said the Chinese factory installing malware is the first case he knows of where critical systems were infected right from the beginning.

“It was always something we thought about, but we never really had proof of it,” Wright said. “This is the first time we’ve seen it.”

TrapX did not disclose the name of the Chinese factory, or the victims of the attack.

It did, however, disclose the name of a Chinese university that was involved: the Lanxiang Vocational School, which has a history in China’s state-sponsored cyberattacks. The infected systems TrapX discovered were sending information to a network connected to the school.

The Lanxiang Vocational School was linked to the 2010 cyberattacks against Google. It is also located just several blocks from the factory where the malware was installed on the devices.

Securing the Supply Chain

When Wright was still in the military, he was part of a meeting in 2001 at the joint staff level in the Department of Defense. “We were having discussions around supply chain management,” he said, and whether they could maintain a local and secure supply chain, or the different steps a product undergoes from manufacturing until it is sold to the end user.

The conclusion was they could not. Internationally, he said, “We’re dependent on the [global] supply chain for technology.”

While the problem of networks being infected by pre-infected products is new to high-level corporate systems, there have been several cases of infected consumer products.

On June 16, researchers at German security company G Data found Chinese smartphones had spying software built into their firmware. The phones from a company with no name were being sold on websites including Amazon and eBay.

Thorsten Urbanski, public relations manager at G Data, said in an email that while malware has been found pre-installed on computer parts and USB sticks, it was the first time malware was found in a phone’s firmware.

“The smartphone,” Urbanski said, “sends personal data to a server located in China and is able to covertly install additional applications.”

Using the breach, he said, the Chinese cyberspies can “retrieve personal data, intercept calls and online banking data, read emails and text messages, or control the camera and microphone remotely.”

Some efforts have been made to secure the supply chain for government and military systems. At the government level, there is “certification accreditation” for companies in the supply chain. According to Wright, “They write huge checks to facilitate this.”

That same solution doesn’t apply to the consumer market—or to products used by major public industries, such as the shipping and logistics sector.

The security gap is thus a trade-off for free enterprise, and is set in stark contrast to countries like China where most major businesses have some level of government ownership.

“When we think about the supply chain,” Wright said, “people aren’t thinking of this from a nefarious enough point of view.”

In terms of technology security, he said, “We’re in a really dangerous time period right now.”

Follow Joshua on Twitter: @JoshJPhilipp