Read Time:2 Minute, 5 Second
Chinese threat actors have been impersonating Australian news media outlets to target government agencies and wind turbine fleets in the South China Sea.
After victims received phishing emails from the hackers, with luring and enticing messages, they were directed to a fraudulent site. On this site, a malicious JavaScript payload was waiting for them as part of the ScanBox reconnaissance framework.
In April and June of this year, the campaign was in operation and targeted individuals employed by local and Australian federal authorities, Australian news media companies, and international heavy industry businesses that maintain wind turbines in the South China Sea.
Proofpoint and PwC (PricewaterhouseCoopers) security experts studying the campaign concluded that the goal was cyberespionage. The researchers believe that the moderate activity is due to a China-based group, which has been deemed as APT40 (a.k.a TA423, Leviathan, Red Ladon).
“This campaign is a great reminder that no matter how big or small your organisation is, you are a target for cybercriminals. Organisations need a comprehensive security strategy that includes email and web security controls to defend against these attacks,” said Fadie Salame, global security intelligence lead at Proofpoint.
PwC’s Jonathan Tanner added: “Our analysis shows that the attackers behind this campaign are highly skilled and well-resourced. They have used a sophisticated technique to evade detection and successfully trick victims into clicking on malicious links.”
ScanBox has been seen in multiple attacks from at least six China-based threat actors, and there is evidence indicating that hackers may have used the toolkit as early as 2014.
According to a study released today by Proofpoint, cybercriminals sent phishing emails to targets in several waves via Gmail and Outlook email addresses.
The sender pretended to work for “Australian Morning News,” a phony news organisation and included a URL to the illicit site. The website featured articles that they had ripped from several reputable news sources.
The URLs also included unique values for each target, the researchers say. Even though every URL led to the same page and malicious payload, the varied value ensured that each click would be registered as coming from a different user.
The phony website’s visitors were given a copy of the ScanBox framework via JavaScript execution and staged module loading.
This campaign is an excellent reminder that no matter how big or small your organisation is, you are a target for cybercriminals. Organisations need a comprehensive security strategy that includes email and web security controls to defend against these attacks.
Happy
100 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
