China-linked hackers target organizations operating in South China Sea

A group of China-based hackers is targeting organizations in countries across the Pacific Ocean and is specifically seeking information related to the hotly-disputed South China Sea, according to a new report from Proofpoint.

The targets of the campaign are governments and organizations in Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea.

The campaign has been ongoing since at least 2021 and was attributed by several governments to APT40 — a group based in China that has also been known as TA423, Leviathan and other names. 

Proofpoint worked with the PwC Threat Intelligence team to outline the group’s activity. 

“TA423 is one of the most consistent APT actors in the threat landscape. They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.” 

While the group itself has been active since 2013, the report focuses on the campaign that ran from April to June and used what's known as the ScanBox exploitation framework to target people visiting a malicious domain made to look like an Australian news website.

TA423 has long had a focus on the South China Sea — parts of which have been claimed by China, Vietnam, the Philippines, Malaysia, Taiwan, Indonesia and Brunei — and typically targets defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations.


A 2012 map of the areas claimed in the South China Sea. Image: Voice of America

Proofpoint said that beginning on April 12 and continuing through the middle of June, their researchers identified “several waves of a phishing campaign resulting in the execution of the ScanBox reconnaissance framework.”

The phishing campaign was built around emails that contain links to malicious websites controlled by TA423. When clicked on, victims were taken to fake websites that delivered a ScanBox malware payload to selected targets. 

“ScanBox, detailed in open source as early as 2014 by AlienVault, is a JavaScript based web reconnaissance and exploitation framework which allows threat actors to profile victims, and to deliver further malware to selected targets of interest,” Proofpoint explained in its report. “PwC Threat Intelligence assesses it is highly likely that ScanBox is shared privately amongst multiple China based threat actors.”

Proofpoint tied the use of ScanBox to a wide range of government-backed groups in China and noted that it was previously used in 2017 and 2018 to target high-profile government entities in Cambodia like the National Election Commission.

The latest campaign went after both local and federal government agencies in Australia as well as Australian news outlets and global heavy industry manufacturers which conduct maintenance of fleets of wind turbines in the South China Sea. Malaysian offshore drilling and deep-water energy exploration entities as well as global marketing and financial companies were targeted as well. 

A number of companies involved in the South China Sea-focused wind farm industry were also targeted, including manufacturers, maintenance, exporters, consulting firms and construction companies. Earlier this year, the group also went after wind farms specifically in Taiwan, according to Proofpoint. 

TA423 Tactics

The phishing campaign targeted Gmail and Outlook email addresses with fake messages that had titles like “Sick Leave,” “User Research,” and “Request Cooperation.”

The group would also pretend to be an employee of the fictional media publication “Australian Morning News,” urging victims to clock on the malicious URL to the fake news outlet. The report notes that researchers have seen TA423 use this tactic in other campaigns.

One feature of the malware is that it comes with a keylogger, allowing the hackers to record any key pressed by the victim.

The report notes that last year, the U.S. Department of Justice tied TA423 to the Hainan Province Ministry of State Security (MSS) in an indictment, explaining that the group was “focused on intellectual property related to naval technology developed by federally-funded defense contractors globally.”

The Justice Department’s findings lined up with Proofpoint’s, and researchers said TA423 had now become well-known for launching attacks at times of tension between China and its neighbors. 

“Following the US Department of Justice indictment and public disclosure in July 2021, Proofpoint analysts have not observed a distinct disruption of operational tempo specifically for phishing campaigns associated with TA423/Red Ladon,” the report explained. 

“Overall, Proofpoint and PwC collectively expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the United States.”

The report comes one week after officials in the Solomon Islands stopped a U.S. Coast Guard vessel from refueling in its capital Honiara. The move came after the Solomon Islands signed a defense agreement with China in May.

On Tuesday, the U.S. said it was told by the Solomon Islands government that no US Navy ships will be allowed to stop at its ports from now on.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.