Chinese intelligence threat actors are conducting cyberespionage campaigns targeting the Australian government and corporations involved with energy extraction in the South China Sea, researchers say.
The campaign’s latest guise is posing as Australian online media in a bid to get victims to enable a web reconnaissance and exploitation framework dubbed ScanBox that is likely used by multiple China-based threat actors, concludes a joint report from Proofpoint and PricewaterhouseCoopers.
The two companies assess with moderate confidence the campaign, which Proofpoint began to observe in March 2021, is the work of the threat actor known as TA423 or Red Ladon. Its activities overlap with a threat actor dubbed APT40 or Leviathan.
A 2021 indictment of Chinese hackers by the U.S. Department of Justice attributed the threat actors to the Ministry of State Security of the southern Chinese province of Hainan. Proofpoint and PwC researchers say that one of TA423’s longest running areas of responsibility is assessed to include the South China Sea (see: US Indicts 4 Chinese Nationals for Lengthy Hacking Campaign).
The phishing campaign is one sign of South China Sea regional tensions, where Beijing aggressively presses disputed territorial claims. “There is a clear and upward trend of PRC provocations against South China Sea claimants and other states lawfully operating in the region,” a U.S. Department of State official told a Washington think tank audience, Reuters reported earlier this summer.
