US security researchers recently found a hacking group with suspected ties to the Chinese government engaged in what appears to be corporate espionage against multiple U.S. companies.The findings underscore an emerging, albeit opaque trend in which hackers linked to Beijing are conducting economic, cyber-enabled espionage, despite the Chinese Communist Party agreeing to stop such activity against the U.S. as part of a 2015 agreement between Chinese President Xi Jinping and U.S President Barack Obama. According to recent research by multinational services giant PwC, a hacking group known as “KeyBoy” has returned to the fold with a data theft campaign aimed primarily at Western organizations. PwC Threat Intelligence Analyst Bart Parys told CyberScoop that “All of the initial uploads for the malware to VirusTotal were from Western countries. ” He said “As for volume of scale, from what we can tell several Western organizations were targeted at least, but it hasn’t been possible to get any further visibility into specific victims or a sense of the scale … most uploads to the VirusTotal scanning service were initially from the U.S.”

 KeyBoy was extensively involved in several overlapping espionage operations in 2016 against minority groups in China; the timing aligned closely with Beijing’s concerns about unrest in the Tibetan community. As part of this noticed activity, KeyBoy sent spear phishing emails to minority group leaders that contained custom backdoor implants. The implants would exploit two outdated, well-recognized software vulnerabilities in RTF (rich-text-format) files, which are used in Microsoft Word. One of those vulnerabilities had been patched by an update originally made available in 2012. CitizenLab found that between 2013 and 2016, KeyBoy had seemingly invested resources in updating and improving their hacking toolkit and other intrusion techniques. The two .RTF vulnerabilities exploited by KeyBoy last year were subsequently connected to data breaches affecting civil society groups engaged in Hong Kong, Taiwan, and the Uyghur community; all of which are relevant to Beijing’s security interests. In the case now identified, the group exploited a feature within Microsoft Word, specifically attached to the Dynamic Data Exchange (DDE) protocol, to covertly deliver malware. This DDE technique was publicly disclosed by cybersecurity firm SensePost in early October. Since then, multiple groups have adopted the methodology. PwC’s research looked at data gathered between August and October. The evidence suggests KeyBoy remains active and is currently sending phishing emails to U.S. companies.