Ping-ponging tariffs between the US and China, have already sparked new Chinese hacking campaigns and a shift toward attacks that are increasingly targeted, and most likely aimed at carrying out government espionage.

This is according to Jeremy Samide, CEO of Stealthcare, who calls for private organisations and governments to step up their cybersecurity with advanced threat assessment tactics, so they can take defensive measures before the attack, rather than after a breach.

“Cyberattacks typically increase when political and international tensions rise as they are now with the recent round of escalating tariffs between Trump and Xi that will be felt here initially by US corporations manufacturing in China, including Apple, Sony and Boeing,” Samide says.

“Typical targets are government agencies, law firms, healthcare organisations and major corporations that possess intellectual property and proprietary data worth billions.”

The intent of new malware is sinister, Samide adds. “The China campaign we recently detected was attributed to LuckyMousewhich is ironically also named Emissary Panda, APT27. The new malware strain is based, in part, on the HyperBro Remote Access Trojan (RAT).”

The Trojanmalware breached a national data centre in Central Asia, which granted the operators access to government resources. The operators then compromised frequently visited government websites in a move called watering hole attacks that then infiltrate the visitor’s computers.

Of the two major attacks during the previous two or three weeks, Samide comments: “The main C2 attack, which gives the hackers feedback on their success, has been traced to an IP address belonging to a Ukrainian ISP network, held by a MikroTikrouter using two-year-old firmware.

“The router was probably hacked specifically for this campaign to process the malware’s HTTP request,” says Samide.

Shortly after the first attack, Samide says the Stealthcare research team observed another Chinese espionage campaign dubbed MirageFox, attributed to APT15, also known as Vixen Panda, Ke3chang, Royal APT, and Playful Dragon.

“After infiltrating a target, the hackers conduct extensive reconnaissance, send the commands from the C2 server manually, and customise malware components to best suit the infected environment. Interestingly, decrypting the C2 configuration reveals an internal IP address.”

Previous intelligence indicates the APT15 virus infiltrated a private organisation after stealing the VPN Private Key, an advanced access protection system. Samide comments: “These factors indicate that this version of the malware was tailored to an organization the group had previously infiltrated.”