Chinese hackers use ScanBox malware to target Australian government

China-based actors have been targeting Australian government agencies and wind turbine fleets by directing individuals to a fake media outlet, pretending to be an Australian media outlet. The site they were led on contained plagiarised information from legitimate news websites. From April to June 2022, the campaign targeted individuals at local and federal Australian government agencies, Australian news media organisations, and global heavy industry manufacturers working to maintain wind turbines in the South Chinese Sea.

Threat actors based in China have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake news media outlet impersonating an Australian news outlet. The sender pretended to be an employee of the hoax media outlet ‘Australian Morning News’, with a link leading to the malicious website. The site included plagiarised content from legitimate news websites.

Victims started arriving at the fraudulent site after receiving phishing emails with appealing lures, and the ScanBox reconnaissance framework delivered a malware payload. From April to June of this year, the campaign targeted individuals at local and federal Australian government agencies, Australian news media organisations, and global heavy industry manufacturers that provide maintenance to wind turbines in the South Chinese Sea.

Proofpoint and PwC (PricewaterhouseCoopers) security researchers, who observed the campaign, concluded that the goal was cyberespionage. They attribute the activity with moderate confidence to a Chinese-based threat group known as APT40 (aka TA423, Leviathan, Red Ladon).