Proofpoint researchers have revealed that a Chinese state-aligned actor has been carrying out espionage campaigns on countries and entities involved in political events revolving around South China Sea. The most recent attack took place between April and June this year.

This Chinese state-aligned actor is called TA423.

According to Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint:

“TA423 is one of the most consistent APT actors in the threat landscape. They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan. This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.”

What is APT?

It is an acronym for Advanced Persistent Threat. It refers to “a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period of time.” – TechTarget

To find out more about this espionage campaign by TA423 and whether you and I will be affected, we asked Sherrod DeGrippo to shed more lights on the matter.

---

What does it mean by Chinese-state aligned threat actor and what are the tell-tale signs or proof?

TA423 / Red Ladon is a China-based, espionage-motivated threat actor that has been active since 2013, targeting a variety of organisations in response to political events in the Asia-Pacific region, with a focus on the South China Sea. In 2021, the US Department of Justice charged four of its alleged members with “global computer intrusion campaign targeting intellectual property and confidential business information”, and the indictment assessed that TA423 / Red Ladon provides long-running support to the Hainan Province Ministry of State Security (MSS) in China. Proofpoint attributes this recent activity to the TA423 threat actor which was historically tied to the Hainan Province of the MSS.

TA423/Red Ladon have historically targeted sensitive espionage information, which is commonly used to inform geopolitical decisions of the Chinese State once routed through the domestic intelligence agency in China known as the Ministry of State Security. Historically, the theft of intellectual property by Chinese APT groups has prominently resulted in the Chinese military and manufacturing contractors reverse engineering military technology for use in their own armed forces. In this case, it appears that the campaigns may have aligned more closely with espionage. The combination of technical tactics like RTF template injection and use of ScanBox, the victimology targeting South China Sea entities as well as the Australian government, and the social engineering preference of impersonating legitimate news sites to deliver ScanBox during elections in the Oceania region all align with historic TA423 tactics.

What is a ScanBox?

ScanBox is a JavaScript based web reconnaissance and exploitation framework which allows threat actors to profile victims, and to deliver further malware to selected targets of interest.

JavaScript is a type of code that can be utilized to perform malicious actions on a host or in a browser if executed by the respective device or application. In the case of ScanBox, it is a JavaScript reconnaissance framework that is executed in the user’s browser. Things like browser isolation allow for the prevention of JavaScript browser-based framework like ScanBox.

How can they access what they want through phishing emails?

Phishing campaigns continue to work because of how adaptive threat actors are, their use of current affairs and overall social engineering techniques, many times preying off targets’ fears and sense of urgency or importance.

A target falling for the phishing attempt and visiting the malicious link would expose its browser to ScanBox, a web-based reconnaissance and exploitation framework deployed by the attacker. ScanBox would first harvest and send back to the attacker several types of information, such as the target’s public-facing IP address, the type of web browser used and its configuration (language, plugin information, etc). This step serves as a setup for the next stages of information gathering and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim’s systems and allow the attacker to perform espionage activities. A particularly interesting potential impact was the actor’s ability to do peer network mapping. This would basically draw a roadmap for lateral movement through an impacted victim’s environment.

Ultimately, we’ve noted threat actors attempting to increase the effectiveness of their campaigns by building trust with intended victims by holding extended conversations, expanding abuse of effective tactics such as using trusted companies’ services, leveraging orthogonal technologies, such as the telephone, in their attack chain, making use of existing conversation threads between colleagues, and regularly leveraging topical, timely, and socially relevant themes.

Is this something of concern for people who do not work for their target’s government and why?

We expect TA423 to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries with interests in the South China Sea, and Proofpoint blocks these threats when they’re detected in email against our customers. However, damage can also occur if threat actors can get access via another method or attempt delivery via another means, as attacks can be sprung from all directions. Numerous observed targets worked in the non-government sector and included employees of global engineering firms and energy exploration companies that were active in the South China Sea.

How can anyone protect themselves over this?

Protecting email users and the email vector should be a top priority for organisations, particularly those heavily targeted industries with significant email traffic. Organisations should focus on a cybersecurity strategy based on people, processes, and technology. This means training individuals to identify malicious emails, using email security tools to block threats before they reach users’ inboxes and putting the right processes in place to ensure that threats can be mitigated immediately. Additionally, the deployment of tools like browser isolation to prevent the execution of JavaScript responses in the user’s native browser can help protect users from this kind of threat.