A multinational tech company installed software to pay taxes in China, then discovered malware inside

This report from NBC News never names the multinational corporation involved but it is not a Chinese company. However because it does do business in China, it was required to pay local taxes. A Chinese bank asked the company to install a piece of software to facilitate paying those taxes, but within hours the company’s entire system had been compromised with sophisticated software.

The tax software was legitimate, but embedded inside it was a nasty surprise, according to a new report by a private security firm: A sophisticated piece of malware that gave attackers complete access to the company’s network…

The malicious code was extremely sophisticated, Hussey said. It had what he called a triple layer of persistence. It installed itself at two different locations on the network, and if one was deleted, the other one automatically kicked in. There was also a so-called protector module, which would download and install another copy in the event both were deleted.

The software beaconed to a remote server at random intervals to evade detection, Hussey said.

Dubbed GoldenSpy, the malware activated just two hours after the tax software was installed. Because it was discovered shortly after it was activated, Trustwave says it isn’t sure who the creators of the spyware are or what they intended to do. However, the sophistication of the software leads them to believe this was probably created by a nation not a private group of hackers.

The real question is how many other companies operating in China have been victims of this same cyberattack.

“At this point, we are unable to determine how widespread this software is,” the report said. “We currently know of one targeted technology/software vendor and a highly similar incident occurring at a major financial institution, but this could be leveraged against countless companies operating and paying taxes in China or may be targeted at only a select few organizations with access to vital information.”

This kind of hidden takeover of a company’s network is a pretty extreme cyberattack, but it’s not as if China has any respect for privacy. Last year I wrote about an investigation which found that tourists entering western China had their phones taken at the border so that some kind of tracking app could be installed on it. The app apparently scanned people’s phones for extremist content.

If you enter China, you have to expect that the government intends to spy on you and, if you are a multinational corporation, probably try to steal from you as well.

Update: Australia has been under a wave of cyber-attacks believed to be emanating from China.

A wide range of political and private-sector organisations in Australia have come under cyber-attack carried out by a “sophisticated state-based cyber-actor”, the Australian government has revealed.

Scott Morrison, the prime minister, disclosed the far-reaching attacks at a media conference in Canberra on Friday, while the defence minister, Linda Reynolds, declared that malicious cyber-activity was “increasing in frequency, scale, in sophistication and in its impact”.

The government did not say which country it believed was responsible, except to say it was “a state-based actor, with very significant capabilities”.

The prime minister declined to respond to a specific question about whether it was China, after months of tensions in its relationship with Australia, but security experts later said they believed it, Russia and North Korea were the only countries that fell within Morrison’s description.

China has been upset with Australia’s media for claiming that China has been engaged in a cover-up related to the coronavirus.