The FBI and Capitol Police are reportedly investigating a string of fake emails sent to House staffers by Chinese hackers masquerading as Rep. John Moolenaar (R-MI), chairman of the House Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party.
According to a report from the Wall Street Journal (WSJ) on Sunday, the emails were sent to staffers on Moolenaar’s committee, plus members of “several trade groups, law firms and U.S. government agencies” in July, when trade talks between the U.S. and China were ramping up.
The email included a draft copy of legislation for sanctions against China, and solicited “insights” from recipients about the bill.
The FBI and Capitol Police were brought in when some of the recipients noticed the message came from a mysterious non-governmental email address. Forensic technicians quickly discovered the emails were laced with spyware code, which was traced to a notorious threat actor known to cybersecurity experts as APT41.
APT41 – also known as “Double Dragon,” “Wicked Panda,” “Bronze Atlas,” “Barium,” and a number of other aliases, some of which could belong to associated groups – is a very active, highly sophisticated hacking team linked to the Chinese Ministry of State Security (MSS). Several leading members of the group are wanted by the FBI.
The hackers of APT41 split their time between harvesting information that would be useful to the Chinese government, and committing financial crimes to enrich themselves, frequently targeting the video game industry. This leads cybersecurity analysts to believe the group is a “contractor,” hired and paid by the MSS to conduct espionage campaigns for the benefit of the Chinese government.
RELATED: Bessent Reveals Treasury Was Hacked Before He Became Secretary
APT41 is noted for employing a large and sophisticated arsenal of malware programs against its victims. The group prefers to deploy its malware with “spear phishing” attacks, which involve sending realistic-looking messages from people known to the victims, just as with the fake emails from Moolenaar. The unsuspecting victims, believing the emails to be legitimate, click on links or download files attached to the messages, and their systems become infected with malware.
In this case, the attached copy of the draft legislation contained a viral payload. Cybersecurity analysts said the hackers would have been able to penetrate the system of any victim who downloaded the document, as directed by the fake email.
“The hacking campaign appeared to be aimed at giving Chinese officials an inside look at the recommendations Trump was receiving from outside groups. It couldn’t be determined whether the attackers had successfully breached any of the targets,” the WSJ reported.
The report said it was “particularly galling” for Chinese hackers to use Moolenaar’s name in their fake emails, because the congressman is a “harsh critic of Beijing.”
Galling as it might be, that was a logical move on the part of the hackers. A great deal of cyberespionage is now conducted through “social engineering” attacks, most commonly including some variation of phishing. The key to a good spear phishing attack – a targeted attempt to trick the victim into accessing a virus-laced message by using personalized information – is to make the poisoned email look both harmless and urgent.
If the comments from investigators to the WSJ prove accurate, and there was no significant loss of security or data to the phishing campaign that used Moolenaar’s name, it would be a very positive sign that a seemingly large number of victims followed good online security protocols by refusing to download a compromised document, and by quickly alerting cybersecurity teams when they received an important-looking email from a shadowy source.
