Chinese cyber espionage campaign targeted Australia, South China Sea energy sector, says study

China-based APT hacker group Red Ladon, also known as TA423, targeted Australian governmental agencies and news organisations in a cyber espionage campaign from April through June 2022, according to research by Proofpoint and PwC Threat Intelligence.

Red Ladon delivered the ScanBox exploitation framework to target who visited a malicious domain, Australian Morning News, masquerading as an Australian news website, said Proofpoint. TA423 is described as one of the most consistent APT actors in the threat landscape, according to Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. The APT is known to support the Chinese government in matters related to the South China Sea and was seen active during the recent tension in Taiwan, DeGrippo said in a blog post. 

ScanBox is typically used by hackers associated with or sponsored by the Chinese government and gives hackers multiple capabilities, including JavaScript keyloggers installed on target PCs. The information gathered with this reconnaissance can be used in phishing campaigns directed toward targeted individuals.

“This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia,” DeGrippo said. 

TA423 has been active since 2013 and has targeted defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations. 

TA423’s 2022 campaign was active since April

From April 12 through mid-June 2022, Proofpoint identified several waves of a phishing campaign resulting in the execution of the ScanBox reconnaissance framework. The detection was aided in part by intelligence shared by PwC Threat Intelligence related to ongoing ScanBox activity.

The phishing campaign delivered URLs that redirected victims to a malicious website posing as an Australian news media outlet. Once on the website, a JavaScript ScanBox malware payload was delivered to selected targets. PwC Threat Intelligence assessed that it is highly likely that ScanBox is shared privately amongst multiple China-based threat actors. 

The campaign mainly targeted local and federal Australian governmental agencies, Australian news media companies, and global heavy industry manufacturers conducting maintenance of wind turbine fleets in the South China Sea, the research noted.

“The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilised a variety of subjects including Sick Leave, User Research, and Request Cooperation,” the blog by the researchers said. 

The threat actor would often pose as an employee of the fictional media publication “Australian Morning News,” providing a URL to the malicious domain and luring targets to view its website or share research content that the website would publish. 

Proofpoint noted that in the emails, the APT claimed to be starting a “humble news website” and asked users for their feedback by providing a link to the website. The website copied content from legitimate news publications including the BBC and Sky News, which was then displayed when victims navigated to the website. When the user clicked the link, they were served the ScanBox framework. 

The ScanBox delivered the JavaScript in a plugin-based modular architecture. PwC threat intelligence analysts noted that the primary motivation for selectively loading plugins is likely a way to prevent crashes or errors that might tip off the owners of compromised websites. The researchers predict another likely motivation to adopt a modular architecture was to reduce researchers’ visibility and access into the plugins and the threat actor’s toolset.  

Longest running campaign targeting Australia 

This could be considered as a long running campaign targeting Australia and Malaysia according to the researchers. The first phase of the attack, between March 2021 and September 2021, consisted of phishing targeting users with emails that delivered Zip Archive attachments containing RTF template injection files. These files would retrieve either further Zip archives, or macro-laden Word documents using RTF template injection, which serve as a next stage downloader.

“Regardless of the nature of the downloader, the following stage payload would consist of a legitimate PE and a malicious DLL stager. This DLL stager is executed using DLL sideloading and communicates with a threat actor-controlled server to retrieve a response encoded with a single-byte XOR. The decoded response is Meterpreter shellcode, which is executed on the victim’s machine,” the research noted. The second phase of the attacks was seen in March 2022 using a similar method. Currently, the third phase of the attack, which started in April is ongoing. 

TA423 ran a similar campaign in 2018 

In 2018, TA423 was involved in a similar ScanBox activity that targeted Cambodia and involved domains masquerading as news websites and targeting high profile government entities, including the National Election Commission.

One of the ScanBox server domains used in that campaign, mlcdailynews[.]com, hosted several articles about Cambodian affairs and US and East Asia relations, for which contents were copied from legitimate publications (Khmer Post, Asia Times, Reuters, Associated Press). These were used as lures in phishing emails to convince targets to follow malicious links. 

A 2021 indictment by the US Department of Justice assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS).

While a direct correlation cannot be drawn between the cyber espionage campaign targeting entities involved with the site and portions of its supply chain in the days directly preceding naval intervention, Proofpoint said the historic targeting focus of TA423 and the subsequent naval intervention may suggest that this project in the South China Sea was highly likely an area of priority interest for the threat actor.