A known China-based espionage actor in April leveraged the ScanBox exploitation framework in order to spy on local and federal government agencies and news media companies in Australia, as well as several global companies involved in offshore energy projects in the South China Sea.
The latter type of victim involved global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea. For instance, the threat group launched a phishing attack in March on a European supplier of heavy equipment used in the installation of an offshore wind farm in the Strait of Taiwan called the YunLin Offshore Wind Farm. The targeting of these development projects coincided with a “time of tensions between China and other countries related to development projects of high strategic importance,” said researchers.
The threat actor, known as TA423 or Red Ladon, has overlaps in activity with APT40, which was highlighted by the U.S. Department of Justice in a 2021 indictment that assessed that it provides long-running support to the Hainan Province Ministry of State Security (MSS) and has focused on intellectual property related to naval technology developed by federally-funded defense contractors globally. Since this July 2021 indictment, however, Proofpoint analysts said in new research this week they have not observed a distinct disruption of operational tempo specifically for phishing campaigns associated with TA423/Red Ladon.
“While the indictment attributed this threat actor to a specific entity operating with support of a Chinese state intelligence agency, the technical details included did not cover the tactics currently in use by the group in the wild,” said Michael Raggi, with Proofpoint, and Sveva Scenarelli at PwC, in a joint Tuesday analysis. “As a result, the group was free to continue its usage of novel phishing techniques like RTF Template Injection which began in early 2021 (before the indictment) and persisted through March 2022.”
“Overall, Proofpoint and PwC collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States."
These attacks started with phishing emails from Gmail and Outlook email addresses, posing as an employee of a fictional media publication called “Australian Morning News” and soliciting user feedback, or using a variety of lures, including “Sick Leave,” “User Research” and “Request Cooperation.”
“Overall, Proofpoint and PwC collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States,” said researchers.