Chinese Hackers Deploy Fake News Site to Infect Government, Energy Targets

According to a blog posted Tuesday by point of proof and PwC Threat Intelligence.

The group is known by several names, including APT40, Leviathan, TA423 and Red Ladon. Four of its members were indicted by the US Department of Justice in 2021 for hacking into a number of companies, universities and governments in the US and around the world between 2011 and 2018.

APT40 members indicted by the US Department of Justice in 2021 / Image credit: FBI


The group uses its fake Australian news site to infect visitors with the ScanBox exploit framework. “ScanBox is a reconnaissance and exploitation framework deployed by the attacker to harvest several types of information, such as the target’s public IP address, the type of web browser used and its configuration,” Sherrod explained, Proofpoint Vice President for Threat Research and Detection. From Grippo.

“This serves as a setup for the information gathering and potential exploitation or compromise steps that follow, where malware could be deployed to gain persistence on the victim’s systems and allow the attacker to perform spying activities,” she told TechNewsWorld.

“It creates an impression of the victim’s network which the actors then study and decide on the best way forward to achieve further compromise,” she said.

“Watering Hole” attacks that use ScanBox attract hackers because the point of compromise is not within the victim’s organization, added John Bambenek, principal threat hunter at Netenricha San Jose, California-based IT operations and digital security company.

“So it’s hard to detect that information is being quietly stolen,” he told TechNewsWorld.

Modular Attack

According to the Proofpoint/PwC blog, the TA423 campaign primarily targeted Australian local and federal government agencies, Australian news companies and global heavy industry manufacturers who service wind turbine fleets in the South China Sea.

He noted that the phishing emails for the campaign were sent from Gmail and Outlook email addresses, which Proofpoint said were created by the attackers with “moderate trust”.

The subject lines of the phishing emails included “Sick leave”, “Looking for users” and “Request for cooperation”.

Threat actors would often impersonate an employee of the fictitious media publication “Australian Morning News”, the blog explained, and provide a URL to their malicious domain, soliciting targets to visit their website or share the content of research that the website would publish.

If a target clicked on the URL, they would be sent to the fake news site and unknowingly offered the ScanBox malware. To lend credibility to their fake website, the adversaries posted content from legitimate news sites, such as the BBC and Sky News.

ScanBox can deliver its code in two ways: as a single block, which gives an attacker immediate access to all malware functionality, or as a modular plug-in architecture. The TA423 crew chose the plug-in method.

According to PwC, the modular route can help avoid crashes and errors that would alert a target that their system is under attack. It is also a way to reduce the visibility of the attack for researchers.

Rise of phishing

As these types of campaigns show, phishing remains the tip of the spear used to penetrate many organizations and steal their data. “Phishing sites have seen an unexpected increase in 2022,” observed Monnia Deng, director of product marketing at Bolsteran automated digital risk protection provider in Los Altos, California.

“Research has shown that this problem has increased tenfold in 2022 because this method is easy to deploy, efficient, and a perfect storm in a post-pandemic digital workplace era,” she told TechNewsWorld.

DeGrippo argued that phishing campaigns continue to work because threat actors are adaptive. “They use the news and globally social engineering techniquesoften attacking a target’s fears and sense of urgency or importance,” she said.

A recent trend among threat actors, she continued, is to attempt to increase the effectiveness of their campaigns by building trust with intended victims through extended conversations with individuals or threads. existing conversation between colleagues.

Roger Grimes, a defense evangelist with KnowBe4a security awareness training provider in Clearwater, Florida claimed that social engineering attacks are particularly resistant to technical defenses.

“Try as hard as you can, so far there haven’t been great technical defenses that prevent all social engineering attacks,” he told TechNewsWorld. “It’s especially difficult because social engineering attacks can come from emails, phones, text messages, and social media.

Even though social engineering is involved in 70% to 90% of all successful malicious cyberattacks, it is the rare organization that spends more than 5% of its resources mitigating it, he continued.

“It’s problem number one, and we’re treating it as a small part of the problem,” he said. “It is this fundamental disconnect that allows attackers and malware to be so successful. Until we treat it as the number one problem, it will continue to be the primary means attackers use to attack us. It’s just math.

Two things to remember

While TA423 has used email in its phishing campaign, Grimes noted that adversaries are moving away from this approach.

“Attackers more often use other means, such as social media, texting, and voice calls to do their social engineering,” he explained. “This is because many organizations focus almost exclusively on email-based social engineering and the training and tools to combat social engineering on other types of media channels are not at the same level. sophistication in most organizations.”

“That’s why it’s crucial for every organization to create a personal and organizational culture of healthy skepticism,” he continued, “where everyone learns to recognize the signs of a social engineering attack, no matter what. either how it arrives – whether by email, web, social media, text or phone call – and no matter who it appears to be sent by.

He explained that most social engineering attacks have two things in common. First, they arrive unexpectedly. The user did not expect it. Second, it asks the user to do something that the sender – whoever it is – has never asked the user to do before.

“This could be a legitimate request,” he continued, “but all users should be aware that any post with these two characteristics is at a much higher risk of being a social engineering attack and should be verified at using a reliable method, such as calling the person directly on a known good phone number.

“If more organizations taught the two things to remember,” he said, “the online world would be a much safer place to calculate.”

Amanda J. Marsh