Proofpoint researchers confirmed that TA415 impersonated the committee chair, Rep. John Moolenaar (R-Mich.), as well as the U.S.–China Business Council, in correspondence with trusted contacts.
The impersonators tried to “target a range of individuals and organizations predominantly focused on U.S.–China relations, trade, and economic policy,” according to the Proofpoint blog post, with the goal of establishing remote access to the targets’ devices without the use of malware.
TA415’s other recent campaigns tracked by Proofpoint have also been spear phishing campaigns that use legitimate services, such as Google Sheets and Google Calendar, instead of malware, researchers said.
“This is likely a concerted effort from TA415 to blend in with existing legitimate traffic to these trusted services,” researchers stated.
“[The targets] specialized in international trade, economic policy, and U.S.-China relations.”
The campaign appears to have begun in July and continued through August.
Some of the emails impersonating Moolenaar had invited targets to click on a link that purportedly led to a proposed piece of legislation, requesting their insight.
Others that appeared to come from the U.S.–China Business Council invited targets to a supposed closed-door briefing on U.S.–Taiwan and U.S.–China affairs.
In this case, targets who clicked on the links would have downloaded a password-protected archive file that would contain a decoy PDF document that was corrupted. The file would also contain other files that would execute a scheduled task named something such as GoogleUpdate or MicrosoftHealthcareMonitorNode.
This would establish remote access to the targets’ devices for the malicious cyberactors, and collect system information and the contents of user directories.
“In this case, many of the targeted entities are consistent with known Chinese intelligence collection priorities,” the Proofpoint blog post reads. “However, the timing of TA415’s pivot toward these targets is particularly noteworthy given the ongoing complex evolution of economic and foreign policy relations between China and the United States.”
Moolenaar on Sept. 8 had confirmed Wall Street Journal reports of this campaign, and said in a statement that the committee had determined that the hackers were from China.
The committee noted that it had seen a similar campaign target staffers in January, in the midst of a confidential investigation into the Chinese state-owned port machinery company Shanghai Zhenhua Heavy Industries.
From August 2019 to August 2020, hackers with this group penetrated more than 100 targets including telecom providers, social media companies, software development companies, computer hardware manufacturers, critics of the CCP, nonprofits, universities, think tanks, and foreign governments.







