The campaign was revealed on Thursday, the same day that US secretary of state John Kerry, visiting China, condemned the country's cyber attacks for having a “chilling effect” on innovation and investment”.
In its report on the zero-day, TrapX said weaponised malware was pre-installed on handheld scanners and software at a Chinese supplier's factory, then sent to seven shipping and logistics firms and one manufacturing company, in order to infiltrate their corporate ERP servers and steal financial data.
The “highly sophisticated” malware was embedded in the Windows XP operating system installed on the scanner and also on the Chinese manufacturer's support website.
TrapX said the handheld scanner in question is used by “many shipping and logistic companies around the world” to check items being loaded on and off vehicles such as ships, trucks or planes.
In the attack that first alerted TrapX to Zombie Zero, as soon as the victim used the scanner to send data via an exterior wireless network to its main server, the malware attacked the corporate network, targeting any servers that had the word ‘finance' in their host name.
“The attack successfully located the ERP financial server via automated means and compromised it,” TrapX said. “Exfiltration of all financial data and ERP data was achieved, providing the attacker complete situational awareness and visibility into the logistic/shipping company's worldwide operations.”
The malware successfully bypassed the victim company's firewall, IPS, IDS and mail-gateway security. TrapX also warned: “The customer installed security certificates on the scanner devices for network authentication. But because APT malware from the manufacturer was already installed in the devices, the certificates were completely compromised.”
The company in question had 48 scanners from the Chinese supplier, 16 of which were infected with the malware.
TrapX suspects Zombie Zero is a Chinese ‘nation state' malware campaign because its command-and-control server is located at the Lanxiang Vocational School, within the China Unicom Shandong province network.
TrapX says the Lanxiang School was implicated in the Operation AURORA attacks against Google two years ago which were linked to the Chinese People's Liberation Army. The Chinese scanner manufacturer is also located a few streets away from the Lanxiang School.
Zombie Zero is the latest in a series of suspected Chinese attacks on commercial and political targets in the West, and has emerged at the same time as John Kerry was meeting the Chinese president and vice premier, declaring: "Instances of cyber theft have harmed our business and threatened our nation's competitiveness."
Yet despite the criticism, UK security expert Alan Woodward, a visiting professor at Surrey University and Europol adviser, says there is no sign of China reducing its attacks.
He told SCMagazineUK.com: “If one looks at the raw data being reported by a number of commercial security firms, the volumes of attacks apparently coming from China does not appear to be abating.”
But Woodward believes the latest talks in China could have some impact, telling SC: “We have seen this week that the US and China have cyber security high on the agenda of their joint talks at secretary of state level. So I think we are seeing some progress but it probably hasn't filtered through to the everyday attacks as yet.”
He added: “I think we have to remember that we are dealing with quite different cultures, particularly when it comes to protection of intellectual property. Also, the US is being wrong-footed regularly at present, being shown to be involved themselves in cyber espionage through the continuing leaks from Snowden.
“It is difficult for the US to grab the moral high ground in such a climate. I suspect the answer, as ever, will be by negotiation and developing a modus vivendi in cyber space.”
Analysing the Zombie Zero attack, Alex Chapman, principal security consultant at UK-based Context Information Security, told SC via email: “This is not the first example of hardware devices being pre-installed with malware from the factory. Compromise of the supply chain provides an easy way for attackers to get their malicious software into the hands of target users.”
Chapman added: “Even though the affected customer had made an effort to securely connect the hardware devices to their network, because the devices were pre-compromised the configuration changes made had little to no consequence.
“Whilst traditional security products - for example, IPS and IDS, firewalls and web proxies - are good at defending attacks from the outside in, these devices often fail at detecting and preventing attacks that originate from within the network, as would happen in the case of pre-infected hardware.”
Earlier this week, The New York Times reported that Chinese hackers infiltrated the US Government's Office of Personnel Management network in March – apparently targeting tens of thousands of government employees who had applied for top-secret security clearance. The US says no data was stolen.
In May, the FBI even indicted five Chinese army officers on charges of cyber theft.