In one instance, the hacking agency even created a fake online media company called “Australian Morning News” with curated real news items to entice victims to engage and inadvertently install dangerous harvesting programs to steal secrets.

US-based cyber security firm Proofpoint and professional services giant PwC jointly identified the espionage campaign between April 12 and mid-June 2022, specifically targeting DFAT, Austrade and “naval issues” related to Australia, Taiwan, Malaysia and Singapore.

In Australia it is specifically targeting entities involved in operations and supply chains of offshore energy programs, notably in the South China Sea, its investor like ASX-listed Macquarie Capital, and defence and health industries and their respective supply contractors.

The move follows heightened tensions between China and the West over Taiwan and an Australian Defence commissioned report outlining a major conflict in the South China Sea would threaten 90 per cent of Australia’s fuel imports and other goods supply.

“Targeted organisations include defence contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes and foreign companies involved with Australasian policy or South China Sea operations,” the Proofpoint/PwC report found.

The espionage-motivated cyber spy group known by various names, including TA423/Red Ladon, APT 40 Leviathan and Kryptonite Panda, operates behind a technology front company but is run by Beijing’s managed Ministry of State Security (MSS) in Haikou, on China’s Hainan Island, and linked to China’s nuclear submarine Yulin Naval Base.

During this time, the group set up a fake media company with phishing emails asking to support a malicious newly created “humble news website” called australianmorningnews.com which featured curated legitimate news items from sources, including the BBC and Sky News.

Once clicked on, malware starts to harvest everything it can from passwords, contact lists and computer habits to contact other targeted victims and ultimately harvest sensitive information related to national security.

The group has also been deploying malware payloads with domains impersonating the national broadsheet The Australian and Victoria’s Herald Sun newspapers for unsuspecting but targeted victims to click on and inadvertently allow server access.

“This particular threat actor group we believe is sponsored by China-based military intelligence, so we consider them to be an APT (Advanced Persistent Threat) financed, organised and operated by the Chinese government for espionage purposes,” Proofpoint threat research and detection vice president Sherrod DeGrippo said.

Ms DeGrippo added: “China has its eye on Australia and some of these South China Sea movements that we are seeing whether private contractors … or actual government type employees but, at the end of the day, the information that any of these groups is looking for is information that allows them to get ahead in some way.”

Proofpoint/PwC identified several “waves” of attacks using this method to target federal and local governments, defence, military academic institutions and think tanks and the public health sector.

A similar scam was launched by the same group against the government in Cambodia in 2018 during their elections.

More Coverage

Defence and Home Affairs emails exposed to China threat

Charles Miranda

How China fooled the world with fake Facebook profiles

Charles Miranda

Originally published as China backed spy ‘journalists’ launch reconnaissance over Taiwan policies