In the modern media frenzy surrounding politicians, there is a suspension of effective cybersecurity practice. Just as, for instance, malware like Golden Chickens was spread in documents like resumes and job descriptions through LinkedIn, where there is an expectation that such documents will be what they claim to be and are opened on that basis, so in the world of politics and journalism, there is an expectation that emails from journalists are genuine.
That circle of instant trust, powered by the expectation that today will be like yesterday, is an open door for malware spreaders, email scammers, and outright hackers – as high-profile figures in Australia have just discovered. Hackers set up a literal “fake news” website, populated with stolen content from the UK’s BBC News and riddled with malware. Then they sent legitimate-sounding emails to leading Australian politicians and journalists from around 50 unique and plausible email accounts. Each of the mails included links to the malware site, and that inherent circle of trust and expectation led the recipients to click through to the site, where their systems were duly infected.
The Culprits and Their Tools
That becomes significant when added to the attribution by US investigators Proofpoint, that said it had a “high confidence” the hackers were aligned with the Chinese government. In fact, in a move not usually made without a reasonable degree of credible evidence, Proofpoint pinned the attack on a Chinese threat group known as APT40 (also known as TA423, Leviathan, and Red Ladon).
The US Department of Justice agreed with that attribution, given data provided to it by Proofpoint.
Four members of the group were charged with crimes by the US in 2021, at which time the UK’s National Cyber Security Centre said it was “almost certain” they were linked or affiliated to the Chinese government.
In the latest attack, Proofpoint said their investigations had also uncovered targeted phishing campaigns against the Kasawari gas field, and a Taiwanese wind farm. All of this led Proofpoint to infer that the aim of the campaign was to cyber-spy on potential high-ranking players and media outlets as to thoughts and reactions to China’s allegedly expansionist plans in the South China Sea.
The Potential Motive
The Sea is an area that has always been widely regarded as international waters by Western powers, and especially the US. That’s a view to which China is unsympathetic, claiming the region as part of its own territorial possessions. Spying on Australian politicians and journalists to read the wind would make sense from China’s point of view, as if it steps up from simply claiming the South China Sea as its own to, for instance, cutting it off to non-Chinese shipping, it would – while having an indirect effect on the US and the rest of the Western world, directly threaten up to 90% of Australia’s fuel imports, leaving the country fuel-dry within around two months of any successful blockade being established.
The Impact of the South China Sea
With much of Europe – and indirectly, the US – already suffering from a Russian clampdown on its gas pipelines in the wake of its illegal invasion of Ukraine, a Russia-friendly China throttling Australian fuel supplies would be the most openly West-hostile move yet made in a widely-recognized cold war growing up between the US and China.
That cold war has been felt especially hard in the technology sector, with brand new US restrictions on chipmakers exporting AI processors to China coming into force in the first week of September, particularly if such chips could be ‘diverted’ by Chinese or Russian forces with a military intent. Such moves have hit domestic suppliers like Nvidia particularly hard.
The Methodology of the Scam
The deployment of the ScanBox reconnaissance framework was particularly simple and effective, taking advantage of that “circle of trust” atmosphere between politicians, journalists, and media outlets.
Once the malware site was set up, email addresses with plausibly Australian names and basic personas were set up, and emails sent to the targets, with the hook-line that the sender had either set up a new news website or was writing for it. Recipients were asked to review the site and consider writing for it themselves.
Within media circles of trust, such a pitch was particularly plausible, and put recipients off their guard as far as normal cybersecurity practice was concerned. That makes the attempted cyber-spying a novel and particularly effective attack, using the techniques of sophisticated LinkedIn-based email spearphishing, and backing it up with plausible media start-up methodology. Thankfully, the campaign only ran between April-June, 2022. The likelihood of further similar attacks as the global politics between the US and China grows ever more strained though, remains high.
3 February 2023
3 February 2023
3 February 2023