Proofpoint exposes threat actor targeting Australia

A hacker group closely aligned to the Chinese government is targeting countries and entities operating in the South China Sea — including Australia — with a sophisticated cyberespionage campaign, according to Proofpoint.

The threat actor known as TA423, Leviathan or APT40 has been primarily targeting organisations including local and federal Australian government agencies, news media companies and heavy industry manufacturers operating in the South China Sea.

Other targets include defence contractors, universities and foreign companies involved with Australasian policy or South China Sea operations, Proofpoint said in a report.

The cyber espionage campaign, launched in April, involved targeted phishing attacks using URLs impersonating Australian media entities including The Australian. The URLs point to a malicious website posing as an Australian news media outlet, designed to deliver a JavaScript ScanBox malware payload to selected targets.

According to Proofpoint, TA423 has consistently focused on entities involved with energy exploration in the South China Sea, in tandem with domestic Australian targets including defence and health care.

The threat actor has also repeatedly targeted both Australian governmental and energy-related target sets within a single campaign over multiple years, according to Proofpoint VP of Threat Research and Detection Sherrod DeGrippo.

“TA423 is one of the most consistent APT actors in the threat landscape. They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan,” she said.

“This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia.”

Image credit: iStock.com/mirsad sarajlic