Chinese Threat Actors APT40 Targets Energy Sector in Australia and the South China Sea

The Chinese state-owned threat actor, APT40, targets Australian government agencies, Australian media companies and manufacturers that maintain wind turbine fleets in the South China Sea.

Cybersecurity firm Proofpoint, which works in collaboration with PwC, said the threat actor sent phishing emails impersonating the latest campaigns, fake Australian Morning News and Australian media outlets.

The APT40 activity was active from April to June with URLs contained in phishing emails redirecting victims to a malicious website, and the landing page sent a JavaScript ScanBox malware payload to selected targets.

“The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilized a variety of subject [lines] including ‘Sick Leave,’ ‘User Research,’ and ‘Request Cooperation,'” The company said in the blog post.

ScanBox is a reconnaissance and exploitation framework designed to collect various information such as the target’s public IP address, the type of Web browser they are using, and the browser configuration. Allows threat actors to profile victims.

Proofpoint has started to observe a pattern that will be welcomed to organizations that will be trained by March 2021, the first protection of the campaign.

“The second phase began in March 2022 and consisted of phishing campaigns using RTF template inserts that leveraged template URLs customized for each target,” the report states.

It is stated that APT40 has been active for about 10 years, with its activity overlapping with military and political events in the Asia-Pacific region. Its targets include defense contractors, manufacturers, universities, government agencies, law firms involved in diplomatic disputes, and foreign companies involved in Australasian policy or South China Sea operations.

“This group specifically wants to know who is active in the region, and while we can’t say for sure, their focus on maritime issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia.” The company said.

Threat actors are using increasingly sophisticated and unconventional methods to run phishing campaigns.

In early August, threat actors used a compromised Dynamics 365 Voice of Customer work account and a link in the survey view to steal Microsoft 365 credentials in a widespread campaign.

It is said that protecting email users and email vectors should be a key priority, especially for heavily targeted industries with significant email traffic.