On August 30, cybersecurity firm Proofpoint revealed that hackers linked to the Chinese state had targeted energy companies operating in the South China Sea, as well as other public and private entities in Australia and beyond.
The U.S. Department of Justice had already indicted hackers linked to the campaign.
China sought to deflect blame by attacking Proofpoint’s credibility.
“[Proofpoint] has frequently collaborated with the U.S. government to systematically spread disinformation on the so-called ‘China hacking attacks,’ serving as the ‘white gloves’ of the U.S. government,” Chinese Foreign Ministry Spokesman Zhao Lijian said at a news conference on August 31.
“We believe the international community has its own judgment on the firm’s real intention.”
Proofpoint’s efforts to identify global cybersecurity threats are anything but disinformation, however. The firm’s revelations about malicious activities linked to the South China Sea add to a growing body of evidence pointing to Beijing.
Proofpoint did not come to its conclusions alone. It collaborated with the PwC (PricewaterhouseCoopers) Threat Intelligence team to examine what the two called a multi-phase, sustained phishing campaign. And they attributed the campaign to a “China-based, espionage motivated threat actor.”
“Our Threat Insight team conducts research into the most pertinent cyber threats facing society today to keep our customers and the wider community safe. To do so, the findings are subjected to rigorous scrutiny to ensure accuracy and objectivity,” Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint, said in a statement.
“We often publish these findings with the purpose of keeping the global cybersecurity community informed of the threats facing organizations around the world, thus contributing to a more secure overall landscape. We of course stand by the findings published this week and will continue to provide thorough and reliable research on breaking cyber threats.”
The China-based hackers, identified as Red Ladon or TA423, have been active since 2013, “targeting a variety of organizations in response to political events in the Asia-Pacific region,” Proofpoint said.
The latest phase of the cyber-espionage campaign, active from April through June 2022, spanned Australia, Malaysia, Europe and entities operating in the South China Sea.
TA423 engaged in a phishing scam by posing as the employee of a made-up news website called the Australian Morning News, which copied content from legitimate news publications.
Target computers were infected with malware when clinking on links to the site.
Proofpoint said the hackers sought to infiltrate Australian military academic institutions, local and federal government entities and the public health sector.
Canberra previously accused China of directing cyberattacks against Australian government and corporate interests in response to its decision to ban the Chinese telecommunications giant Huawei's involvement in developing Australia’s 5G network.
Australia has expressed concerns over Huawei's close ties to the Chinese Communist Party, although Beijing denies the company is controlled by the state.
In Malaysia, the hackers targeted offshore drilling and deep-water energy exploration entities, specifically those involved with the Kasawari Gas Project off the coast of Malaysia in the South China Sea, which China’s Coast Guard contests.
Malaysian financial and global marketing companies, and entities directly involved in an offshore wind farm in the Taiwan Strait, also were in the crosshairs, Proofpoint said
The hackers targeted several multinational firms related to the “global supply chains of offshore energy projects in the South China Sea.”
The hackers also sought to penetrate Cambodia's National Election Commission prior to that country’s 2018 elections.
“Proofpoint assesses with moderate confidence that the campaigns were conducted by the China-based, espionage-motivated threat actor TA423, which PwC tracks as Red Ladon and which also overlaps with ‘Leviathan,' ‘GADOLINIUM,’ and ‘APT40,’” the cybersecurity firm said.
Proofpoint noted “the content of the emails and the malicious URL technique” mirrored those previously used by threat actor TA423.
Specifically, between April and September 2021, Proofpoint documented a novel method used for malicious phishing — Rich Text Format injection — employed by TA423 to target entities in Malaysia and other firms working in the energy exploration sector.
Proofpoint breaks down how Rich Text Format injection works here.
TA423 used those same techniques in its latest cyber-espionage campaign, the company said.
Proofpoint noted that TA423 had already been named in a 2021 U.S. Department of Justice indictment, which named the operation as providing “long-running support to the Hainan Province Ministry of State Security.”
Hainan is China’s southernmost province and consists of islands in the South China Sea.
“One of TA423’s longest running areas of responsibility is assessed to include the South China Sea, with the U.S. Department of Justice indictment indicating that the threat actor has historically focused on intellectual property related to naval technology developed by federally funded defense contractors globally,” Proofpoint said.
The cybersecurity firm Mandiant also found that advanced persistent threat (APT) group APT40 (a.k.a. TA423) engages “in broader regional targeting against traditional intelligence targets, especially organizations with operations in Southeast Asia or involved in South China Sea disputes.”
“We assess with moderate confidence that APT40 is a state-sponsored Chinese cyber espionage operation. The actor’s targeting is consistent with Chinese state interests and there are multiple technical artifacts indicating the actor is based in China,” Mandiant said.
The United States and other Western states accused China of carrying out the 2021 Microsoft Exchange Server cyberattacks.
In its 2021 Microsoft Digital Defense Report, Microsoft said the U.S. government and its allies had attributed, “with a high level of confidence,” the attacks targeting Microsoft "to cyber actors affiliated with China’s civilian intelligence agency, the Ministry of State Security.”
The U.S. Justice Department charged four members of APT40 for conducting a global computer intrusion campaign that targeted dozens of companies, universities and government entities between 2011 and 2018.
The department said the four individuals were Chinese nationals working with China’s Ministry of State Security.
The British government also concluded that the Chinese Ministry of State Security was behind APT40.
In February, China was linked to a hacking campaign targeting News Corp outlets, including The Wall Street Journal.
Mandiant said the threat actors had “a China nexus,” adding “they are likely involved in espionage activities to collect intelligence to benefit China’s interests."
In its 2021 Global Threat Report, the U.S. cybersecurity firm CrowdStrike said that Chinese adversaries are “one of the most prolific state-sponsored cyber actors on the planet.”