ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintIcon Twitter

Global finance falls victim to China's spyware campaign

US and Germany warn companies about backdoors in Chinese tax software

Beijing has strongly denied allegations that Chinese telecommunication equipment makers, including Huawei Technologies, have installed spyware and backdoor access. (Nikkei montage/Reuters and AP)

TOKYO -- U.S. and German investigative and intelligence agencies issued grave warnings in recent months that Chinese government-mandated tax software contains malware, which enables backdoor access into the applications that install it.

If the allegations are true, local units of foreign companies operating in China as well as global financial institutions will be exposed to the risk. But, while some countries are taking urgent steps to mitigate this risk, Japan's public and private sectors seem to be slow in taking action to protect its financial institutions and companies.

U.S. cyber security company Trustwave Holding on June 25 issued a warning about spyware embedded in the Chinese government-mandated Intelligent Tax software, which U.S. companies operating in China are required to install by local banks. Once the software is installed, the backdoor will be secretly embedded in companies' systems, Trustwave warned.

The advice prompted the U.S. Federal Bureau of Investigation to issue a warning to American companies operating in China on July 23. The FBI warned that the value-added tax software provided by two exclusive distributors -- Baiwang Cloud and Aisino Corp. -- contained malware which enables backdoor access.

Beijing has strongly denied allegations that Chinese telecommunication equipment makers, including Huawei Technologies, have installed spyware and backdoor access -- leaving U.S. companies in confusion.

Some observers have suggested the U.S. is trying to make waves amid the new cold war that has developed from Sino-American rivalry, but Germany's Federal Office for the Protection of the Constitution -- which is supposedly at enmity with the U.S. -- on Aug. 21 issued a similar warning to German companies operating in China. Berlin has confirmed the same spyware as the FBI and recommends that German companies take necessary measures based on information that it has provided, the warning said.

The Federal Office for the Protection of the Constitution is an intelligence agency that comes under Germany's Interior Ministry, and is not an organ of the judiciary. It has worked closely with the FBI over the Chinese spyware, with German state documents on the matter noting that their "information was provided by the FBI." The U.S. embassy in Germany also tweeted: "Germany and the United States stand together against Chinese cyber espionage and targeting activity."

In a rare move, this matter has caused the U.S and Germany to join forces. While such bilateral intelligence cooperation does not necessarily happen every day, the two countries evidently see the threat from the cleverly crafted spyware as highly serious and potentially creating a domino effect in companies and institutions across the world.

The installation process and effects of the Chinese tax software are as follows:

(1) First, foreign companies operating in China are required to install the Intelligent Tax software to pay their value-added taxes, with few options to avoid the risk.

(2) Spyware is secretly downloaded two hours after the Intelligent Tax software is installed. The two-hour time lag is key to the surreptitious installation of the malware.

(3) Once the spyware is downloaded, the company's systems will be taken over. An arbitrary program will be executed remotely through the backdoor so that China can manipulate the company's systems.

(4) The effect can then go beyond the local units of foreign companies. As hacked systems of foreign companies in China are connected to headquarters and other networks, the risk of malfunctions and information theft could spread across the entire globe.

(5) The effect can go further still, as companies' systems are also connected to financial institutions through settlement systems. Thus, China's spyware can try to break into financial institutions' networks through these companies.

What then, do Baiwang Cloud and Aisino do?

Baiwang Cloud claims to be a leading provider of smart tax and electric invoicing services in China. Meanwhile, Aisino is a publicly-traded information security company.

Baiwang Cloud's tax software is called "Golden Tax," while Aisino's is called "Intelligent Tax." In fact, Golden Tax was developed by NouNou Network Technology, a subsidiary of Aisino. NouNou has reportedly installed spyware in Baiwang Cloud's Golden Tax software.

It turns out that Aisino is involved in both tax software and spyware. According to a correlation diagram created by Trustwave, a blue area located at the center of the diagram refers to Aisino and its subsidiaries, which develop tax software and spyware, while a green part refers to actual providers of tax software.

The spyware embedded in the Golden Tax invoicing software provided by Baiwang has been named "GoldenHelper," while the backdoor malware hidden in Aisino's Intelligent Tax software has been dubbed "GoldenSpy." Trustwave has found that the two pieces of malware are actually the same software.

The parent company of Aisino, which has apparently played the central role in this backdoor malware campaign, is China Aerospace Science & Industry Corp., or CASIC, a state-owned enterprise that designs and manufactures a range of weapons, according to a Credit Suisse investment report. Many Aisino executives have hailed from CASIC, the report says.

CASIC is linked to the People's Liberation Army and has its origins in the Fifth Research Institute of China's Ministry of National Defense, which was established in October 1956.

The company is now known as China's largest manufacturer of missile weapons systems. It has, for instance, developed the Dongfeng-21D, or DF-21D, medium-range anti-ship ballistic missile, which is known as the "carrier killer" or "Guam killer" -- meaning it could strike targets such as aircraft carriers or the U.S. territory of Guam in the Pacific Ocean. The company is on the U.S.'s "Entity List" -- a trade blacklist of foreign businesses subject to U.S. sanctions.

All these facts should leave no doubt that the campaign to hide backdoors in the Chinese government-mandated tax software is part of an industrial espionage scheme masterminded and orchestrated by Beijing.

In an additional twist to the story, following the publication of the report about GoldenSpy, Trustwave also discovered that CASIC had hastily delivered an uninstaller, which is designed to remove the spyware.

"After GoldenSpy was made public, those behind the backdoor quickly scrambled to push an uninstaller to erase GoldenSpy from infected systems," Trustwave said in a report published in August. "The uninstaller was dropped from an updater module, cleaned GoldenSpy and finally deleted itself leaving no traces. Another uninstaller was issued right afterwards," according to the report.

As Trustwave waited for the threat actor's next moves, it found that "they are continuing to push new GoldenSpy uninstallers -- so far we have discovered five variants totaling 25 uninstaller files."

Trustwave traced the uninstalling software to Ningbo Digital Technology, a Chinese company that provides professional software solutions and technical support. The company's website provides two files for download: the GoldenSpy Uninstaller and a GoldenSpy dropper, according to Trustwave.

A security expert at a Japanese financial institution who has been following the Chinese malicious campaign using the mandatory tax invoice software, has been amazed at Trustwave's ability to track down all the facts. But the expert sounded the alarm about Japan's slow and weak response to the Chinese malware attacks.

"A subsidiary of a Chinese state-owned military company is posing a serious security threat to the computer systems of Japanese companies operating in China," the expert said. "But the Japanese government, unlike its U.S. and German counterparts, has failed to disclose the information and issue a warning."

Is the Japanese government's inaction in the face of the grave cyber security threat due to the highly compartmentalized structure of its organization, which impedes integrated efforts for cyber security? Or has the government decided to avoid making any strong response to the findings for fear of hurting improved Japan-China relations?

At any rate, the spyware is an ongoing threat to the security of Japanese companies operating in China.

If Japanese Prime Minister Yoshihide Suga's administration is really committed to the digitization of the country's society and economy, it should act swiftly to enhance the nation's defense against such cyber security threats.

First of all, Tokyo needs to make emergency safety reviews to assess the preparedness of the systems of Japanese companies operating in China and elsewhere against possible risks of hacking and intrusion. This will require the Japanese government to work closely with the security and intelligence authorities of the U.S. and European countries.

In particular, the systems used by financial institutions for settlements have to be rigorously examined and checked.

It is also vital to establish an effective domestic system to issue early warnings about potential cyber security risks and threats and take steps quickly to deal with them.

The cabinet's National Center of Incident Readiness and Strategy for Cybersecurity (NISC) should have raised warning flags about this particular backdoor malware some time ago. What has NISC been doing over the past four months since the FBI first sent an alert to U.S. companies about the spyware?

It is also crucial to ensure that information about such threats is shared between the public and private sectors. Companies, for their part, should build up a new system for sharing such information widely between themselves.

Another prerequisite for effective defense against cyber security threats is solid international cooperation. This time, the U.S. and German authorities have made remarkably concerted and coordinated efforts to respond to the Chinese malware.

The attacks have underscored the urgent need for Japan to create a system to share security information with leading Western nations and the so-called Five Eyes intelligence alliance, involving the U.S., the U.K., Canada, Australia and New Zealand.

Tokyo also needs to seek help from overseas information security companies that have advanced technology and expertise in this area. We cannot afford to let China take over our network systems via overseas units, while the concerted and efficient actions of other countries leave us behind.

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Try 1 month for $0.99

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends October 31st

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to Nikkei Asia has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more