The hackers left a malicious link on web pages where members of the National Foreign Trade Council (NFTC) register for upcoming meetings, according to researchers at Fidelis Cybersecurity and a person familiar with the trade group.The nonprofit NFTC is a prominent advocate on international trade policy, with corporate members including Wal-Mart Stores Inc, Johnson & Johnson, Amazon.com Inc, Ford Motor Co and Microsoft Corp.

The malicious link deployed a spying tool called Scanbox, which would have recorded the type and versions of software running on the computers of those exposed to it, said Fidelis researcher John Bambenek. Such reconnaissance is typically followed by new attacks using known flaws in the detected software, especially older versions.Scanbox has only been used by groups associated with the Chinese government, Fidelis said, and was recently seen on a political site aimed at Uyghurs, an ethnic minority under close government scrutiny in China.The breach was detected about five weeks ago by a NFTC director who is a customer of Fidelis, the security company said. Both the Federal Bureau of Investigation and the NFTC were notified and the malicious link removed, and Fidelis said it had no evidence of NFTC members being infected.The FBI and the NFTC declined to comment. A spokesman for the Chinese foreign ministry did not respond to a request for comment.Bambenek said he believed the attack was classic espionage related to international trade talks, rather than a violation of a 2015 agreement between former U.S. President Barack Obama and Xi to end spying for commercial motives.The summit starting on Thursday is the first meeting between Xi and Trump, who blamed China on the campaign trail for the loss of many U.S. jobs and vowed to confront the country’s leaders on the matters of trade and currency manipulation.“I think it’s traditional espionage that happens ahead of any summit,” said Bambenek. “They would like to know what we, the Americans, really care about and use that for leverage.”Other security firms agreed that wholesale theft of U.S. intellectual property has not returned.Instead, FireEye Inc and BAE Systems Plc said that the hacking group identified by Fidelis, called APT10, has recently attacked government and commercial targets in Europe.FireEye researcher John Hultquist said heavy industries in Nordic countries have been hacked more often as Beijing switches priorities.“They are certainly taking those resources and pushing them to other places where they can still get away with this behavior,” Hultquist said.