The Chinese state-aligned threat actor TA423 (aka Leviathan/APT40) is behind a sustained cyber-espionage campaign against countries and entities operating in the South China Sea, including organizations involved in an offshore wind farm in the Taiwan Strait.
The threat actor’s most recent campaigns used malicious emails impersonating Australian media organizations, including the fake Australian Morning News, to deliver ScanBox malware for reconnaissance, according to a report drafted by cybersecurity firm Proofpoint, working in collaboration with PwC.
Researchers also observed phishing activity targeting governmental agencies, media companies, and South China Sea wind turbine operators, as well as a European manufacturer supplying equipment for the Yunlin Offshore Windfarm in the Taiwan Strait.
“The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilized a variety of subject [lines] including ‘Sick Leave,’ ‘User Research,’ and ‘Request Cooperation,'” a blog post on the campaign noted, adding that the phishing campaign is currently ongoing.
ScanBox is a reconnaissance and exploitation framework designed to harvest several types of information, such as the target’s public-facing IP address, the type of Web browser they use, and their browser configuration (language or plugin information, for example). It allows threat actors to profile victims, and to deliver further carefully crafted malware to selected targets of interest.
This serves as a setup for the following stages of information gathering and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim’s systems and allow the attacker to perform espionage activities.
“It creates an impression of the victim’s network that the actors then study and decide the best route to take to achieve further compromise,” explains Sherrod DeGrippo, Proofpoint’s vice president of threat research and detection.
Proofpoint began to observe a consistent pattern of targeting against entities based in Malaysia and Australia as far back as March 2021 — the first phase of the campaign.
“The second phase began in March 2022 and consisted of phishing campaigns which used RTF template injection attachments leveraging template URLs that were customized for each target,” the report noted.
Active for Almost a Decade
DeGrippo notes that TA423 has been active for almost 10 years, with its activity dovetailing with military and political events in the Asia-Pacific region. TA423’s typical targets include defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.
She calls TA423 “one of the most consistent” advanced persistent threat (APT) actors in the threat landscape, supporting the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan.
“This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia,” she explains.
The group is so capable that in 2021, the US Department of Justice charged four of its alleged members with “global computer intrusion campaign targeting intellectual property and confidential business information.”
“We expect TA423 to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries with interests in the South China Sea, as well as further intrusions in Australia, Europe and the United States,” DeGrippo says.
Spike in Phishing Campaigns
Malicious actors are using increasingly sophisticated and unusual methods to conduct phishing campaigns.
Earlier this month, threat actors use a compromised Dynamics 365 Customer Voice business account and a link posing as a survey to steal Microsoft 365 credentials in a widespread campaign.
Google researchers also discovered the latest threat from Iranian APT group Charming Kitten, which has a new data-scraping tool that claws emails from victim Gmail, Yahoo, and Microsoft Outlook accounts using previously acquired credentials.
DeGrippo says protecting email users and the email vector should be a top priority for organizations, particularly those heavily targeted industries with significant email traffic.
“Organizations should focus on a cybersecurity strategy based on people, processes, and technology,” she adds. “This means training individuals to identify malicious emails, using email security tools to block threats before they reach users’ inboxes, and putting the right processes in place to ensure that threats can be mitigated immediately.”