China-backed cyber attack on defence and energy
Chinese state-backed cyber spies attacked the IT systems of the Australian government, media, defence and health agencies for three months this year.
Chinese state-backed cyber spies attacked the computer systems of the Australian government, media companies, defence and health agencies for three months this year, seeking sensitive defence, navy and energy information relating to the South China Sea.
Using the 2022 federal election as bait, the spies – alleged to have connections back to China’s Ministry of State Security – set up a fake Australian media outlet, using cloned election stories from legitimate media organisations.
It then bombarded the inboxes of people working for federal and local government agencies, defence academic institutions, defence and health agencies, and Australian companies involved in energy generation in the South China Sea, with phishing emails.
The emails encouraged people to visit the “humble’’ new media outlet “Australian Morning News’’, which carried pictures, stories and headlines directly copied from mainstream media outlets.
The site was a fake, and designed simply to get unsuspecting readers to click on a link that would infect their computer with malware, and give the cyber spies access to their data.
American cyber security firm Proofpoint, working with PwC Threat Intelligence, identified the group as Red Ladon, or TA423.
The group closely overlaps the APT (Advanced Persistent Threat) 40 group, also known as Leviathan, the same group that a US indictment last year accused of working with the Hainan Province Ministry of State Security.
According to the report by Proofpoint and PwC, Red Ladon was particularly active from April to June, attacking companies and agencies involved in the operations and supply chains of energy generators in the South China Sea, targeting Europe, Malaysia and Australia.
It mirrored an attack last year in which the likely same group of Chinese government cyber spies sent out malicious emails impersonating a number of Australian media companies, mainly The Australian and the Herald Sun, to try to gain access to the computers of people working in sensitive industries. The phishing emails contained ScanBox malware that sought to worm its way inside government and defence IT systems and access information held there. This could include anything from what language the victim’s computer used, and what pages the users had visited previously, to show the hackers other areas that could be compromised later. Sherrod DeGrippo, vice-president of threat research and detection at Proofpoint, said TA423 was one of the globe’s most consistent advanced, persistent threat actors. “They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan,’’ Ms DeGrippo said.
“This group specifically wants to know who is active in the region and while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.”
Ms DeGrippo could not say how successful the hacking attempts were.
“Proofpoint blocks these threats when they’re detected in email against our customers,” she said. “What may happen or damages that may occur if the threat actors get access via another method or if they are attempting delivery via another means is not something we can speak to.”
Proofpoint and PwC observed the Red Ladon hackers targeting entities based in Australia and overseas particularly around the times China was involved in tensions with other countries around the South China Sea.
“These targets regularly included military academic institutions, as well as local and federal government, defence, and public health sectors,’’ the company said in its report, released on Tuesday night. Red Ladon had previously targeted Cambodia’s National Election Commission in the lead-up to its federal elections in 2018.
“Red Ladon’s 2018 ScanBox activity targeting Cambodia involved domains masquerading as news websites and targeted high-profile government entities,’’ the report said. “One of the ScanBox server domains used in that campaign, mlcdailynews[.]com, hosted several articles about Cambodian affairs and US and East Asia relations, for which contents were copied from legitimate publications (Khmer Post, Asia Times, Reuters, Associated Press).
“These were likely used as lures in phishing emails to convince targets to follow malicious links to the actor-controlled ScanBox domain.’’
The Australian Electoral Commission has said there was no foreign interference in this year’s Australian election. Proofpoint said the April-June Red Ladon attack primarily targeted local and federal Australian government agencies, Australian news media companies and global heavy-industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea.
“This demonstrated the co-mingling of targets involved in Australian governmental affairs as well as offshore energy production in the South China Sea,’’ the company said.
It said the phishing campaigns originated from Gmail and Outlook email addresses using subject lines including “Sick Leave,” “User Research,” and “Request Cooperation”.
“The threat actor would frequently pose as an employee of the fictional media publication ‘Australian Morning News’, providing a URL to the malicious domain and soliciting targets to view its website or share research content that the website would publish,’’ Proofpoint said.
“In emails, the threat actor claimed to be starting a ‘humble news website’ (sic) and solicited user feedback while providing a link to australianmorningnews[.]com. While this is not impersonating an existing Aust-ralian media publication, it does copy content from legitimate news publications (including the BBC and Sky News) which was then displayed when victims navigated to the website.’’
Those who clicked through into the site were infected with the ScanBox malware. Proofpoint said this was the same technique used in September last year when Red Ladon faked emails that claimed to have come from media outlets, predominantly The Australian and the Herald Sun, which carried the ScanBox malware.
“TA423/Red Ladon is a China-based, espionage-motivated threat actor that has been active since 2013, targeting a variety of organisations in response to political events in the Asia-Pacific region, with a focus on the South China Sea,’’ the company said.
“Targeted organisations include defence contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.’’
According to Proofpoint, the domain name australianmorningnews[.]com was first registered on April 8 this year by a “Florence Gourley’’, using the email address suzannehhu316@outlook.com, from the city Logandale, which is the name of a Queensland neighbourhood area and a US county.
But Red Ladon had been actively attacking Australia for at least a year before that.
“Beginning in March 2021, Proofpoint began to observe a consistent pattern of targeting against entities based in Malaysia and Australia, as well as against entities that are involved in the operations and supply chain of offshore energy projects in the South China Sea,’’ the company said.
“Throughout this campaign, Australian targets regularly included military academic institutions, as well as local and federal government, defence, and public health sectors. Malaysian targets included offshore drilling and deepwater energy exploration entities as well as global marketing and financial companies.”
Several global companies were also targeted that appear to relate to the global supply chains of offshore energy projects in the South China Sea. These included heavy industry and manufacturers responsible for the maintenance of offshore wind farms, manufacturers of installation components used in offshore wind farms, exporters of energy from prominent energy exploration sites in the South China Sea, large consulting firms providing expertise at projects in the South China Sea and global construction companies responsible for the installation of Offshore energy projects in the South China Sea.
“Proofpoint assesses with moderate confidence that the campaigns were conducted by the China-based, espionage-motivated threat actor TA423, which PwC tracks as Red Ladon and which also overlaps with “Leviathan,” “GADOLINIUM,” and “APT40.”
“This threat actor has demonstrated a consistent focus on entities involved with energy exploration in the South China Sea, in tandem with domestic Australian targets including defence and health care.’’
The report said the “CopyPaste attacks’’ that targeted the Australian government in 2021 had been previously attributed to TA423/Red Ladon.
The report also identified a specific case study from 2021 relating to the Kasawari Gas Project off the Malaysian coast.
“On 2 June 2021 numerous emails were sent from a Gmail email address to several companies involved with deep water drilling, oil and petroleum exploration, and Australian Naval Defense,’’ it said.
It added that the emails lured victims into clicking through by using the subject “COVID-19 passport services in Australia” resulting in them being infected with malware.
“This campaign focused heavily on Malaysia, and specifically on companies that appear to be involved in either the engineering, extraction of natural gases, or export of natural gas products from the Kasawari Gas Project off the coast of Malaysia,” the report found. “Specifically, four of the eight entities targeted by this campaign were associated directly with this project.
“Additional targets observed in this campaign were involved in Australian Defense universities, consumer healthcare in Australia, and large financial banking entities in Malaysia.’’
The report said similar entities and organisations operating in the South China Sea were targeted in the ScanBox attack earlier this year.
“In close temporal proximity to the cyber espionage campaigns targeting these entities, the Asia Maritime Transparency Initiative reported disruption at the project site stemming from Chinese Coast Guard Intervention,’’ it noted.
“Proofpoint assesses with moderate confidence that this activity may be attributable to the threat actor TA423/Red Ladon, which multiple reports assess to operate out of Hainan Island, China.
“A 2021 indictment by the US Department of Justice assessed that TA423/Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS). One of TA423’s longest running areas of responsibility is assessed to include the South China Sea, with the US Department of Justice indictment indicating that the threat actor has historically focused on intellectual property related to naval technology developed by federally-funded defence contractors globally.
“This indictment also explicitly included the mention of the existence of the Yulin Naval Base which has been stated to be located on Hainan Island.
“While a direct correlation cannot be drawn between the cyber espionage campaign targeting entities involved with the site and portions of its supply chain in the days directly preceding kinetic naval intervention, the historic targeting focus of TA423 / Red Ladon and the subsequent naval intervention may suggest that this project in the South China Sea was highly likely an area of priority interest for the threat actor.’’
In a second case study, Proofpoint noted phishing activity attacking a European manufacturer of heavy equipment being used in the installation of an offshore wind farm in the Strait of Taiwan on March 24, 28 and 29 this year.
“Specifically, the manufacturer targeted was a key supplier of equipment for entities involved in the construction of the Yunlin Offshore Windfarm. This is a project which begun in 2020 and was projected to be completed in 2022. However, the project began to encounter construction delays which resulted in several major contractors terminating contracts and leaving the project unfinished between November 2021 and February 2022. This offshore energy project resumed in late April 2022,’’ it noted.
“The dates of the observed phishing activity align with the period between 2nd February 2022 and 28th April 2022 where the project’s future was uncertain. The targeting of supply chain entities by TA423 during this period of project uncertainty is notable, since the group has previously targeted projects in the South China Sea during key moments in their development timeline.’’
Proofpoint and PwC concluded that while Red Ladon had an international reach, it was heavily focused on the South China Sea and had a history of targeting companies related to development of “high strategic importance’’ such as the Kasawari Gas fields and Strait of Taiwan wind farm.
“We have observed TA423/Red Ladon using ScanBox, both in 2018 and 2022, in campaigns using an upcoming national election as a lure, wherein the threat actor built local news-themed malicious websites to draw targets to in order to infect them,’’ it said.
“Overall, Proofpoint and PwC collectively expect TA423/Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States.’’
More Coverage
Keating takes swipe at AUKUS ministers meeting
Former prime minister Paul Keating has slammed the AUKUS alliance partners for failing to respond to concerns about the future of Australian military sovereignty.
Unis warned on menace of foreign spies
ASIO has told universities to hire security escorts for foreign scientists and academics, and keep gifts out of high-security zones to safeguard research from espionage.