Skip links

China-linked APT40 gang targets wind farms, Australian government

Researchers at security company Proofpoint and PricewaterhouseCoopers (PWC) said on Tuesday they had identified a cyber espionage campaign that delivers the ScanBox exploitation framework through a malicious fake Australian news site.

The campaign, active from April to June of this year, targeted Australian government agencies, Australian media companies and manufacturers who conduct maintenance on wind turbine fleets in the South China Sea. Proofpoint said the victim profile was similar to a June 2021 TA423 threat that delivered a downloader in DLL format via RTF template injection.

According to the researchers, victims were sent phishing emails that directed them to faked versions of Australian news outlets The Herald Sun and The Australian. Both outlets are part of Rupert Murdoch’s media empire.

The faked versions of the outlets’ sites included copied and pasted news stories, but lurking deeper in the code was malware. This tactic is similar to one used by TA423 during 2018 elections in Cambodia.

Each target received a slightly different URL that led to the same page, indicating the threat actors may have tracked its victims rather than use a spray and pray method.

Once lured to the site, users were infected with a malicious ScanBox JavaScript payload as a plugin-based modular architecture. The plugin modules included a keylogger, browser identification plugins, browser fingerprints to identify system tech capabilities, peer connection plugins and a check if Kaspersky security tools are installed on the machine.

Researchers said the plugins were likely loaded separately to prevent detection through telltale incidents such as suspicious crashes of the victim’s machine.

ScanBox is an advanced persistent threat that collects information about the victim’s system without infecting it. The toolkit has been around since at least 2014 and is used by nation-state threat actors associated with or sponsored by the Chinese government.

With all signs pointing to TA423, the researchers were able to further detect the presence of another related China-Nexus cyber espionage actor, the state-sponsored APT40.

“The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent recent efforts by TA423 / Red Ladon,” said Proofpoint and PWC.

“Activity which overlaps with this threat actor has been publicly referred to in governmental indictments as ‘APT40’ and ‘Leviathan,’” added the duo, who concluded that the latest news spoofing campaign is the third phase of an APT40 intelligence-gathering mission that has been ongoing since March 2021.

APT40 has been around long enough to get attention for the US Department of Justice (DoJ). In July 2021, the DoJ indicted four members of the cyber gang living in China’s Hainan Province for allegedly compromising “the computer systems of dozens of victim companies, universities and government entities in the United States and abroad between 2011 and 2018.” ®