"Chinese Hackers Target Energy Firms in South China Sea"

The Chinese APT known as TA423 (aka Red Ladon, APT40, and Leviathan) has been operating a cyberespionage campaign across Australia, Malaysia, and Europe.  Security researchers at Proofpoint noted that the campaign has had three distinct phases, the latest from April 2022 to mid-June 2022.  The primary targets have been Australian organizations and energy exploration in the South China Sea.  The researchers stated that TA423 has been active since 2013, with previous targets including defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.  The focus is on areas of geopolitical interest to the Chinese government.  The researchers noted that in July 2021, the US government indicted four Chinese nationals (three of whom it said were provincial officers in China’s Ministry of State Security) for APT40-related cyberespionage.  The latest operation involved phishing campaigns designed to lure victims to a malicious website designed as an Australian news site.  The researchers noted that the site delivered the ScanBox reconnaissance and exploitation framework first analyzed by AlienVault in 2014 and believed to be used by several different Chinese threat groups.  The researchers stated that targets received messages from email addresses created by the threat actor asking the recipient to visit a false website for the fictional Australian Morning News.  The site used real news stories from sources such as Reuters and the BBC.  Targets who visited the website were served with ScanBox.  The researchers noted that ScanBox delivers JavaScript code either as a single block or as a plugin-based modular architecture.  The primary payload sets its configuration, including the information to be gathered and the C2 server to be contacted.  It harvests detailed data on the browser being used.  Subsequent ScanBox plugins delivered to the victim include a keylogger, browser plugin identification, browser fingerprinting, a peer connection plugin (avoiding the need to communicate through NATs, firewalls, and other security solutions), and a security check for Kaspersky Internet Security (KIS).

SecurityWeek reports: "Chinese Hackers Target Energy Firms in South China Sea"