Chinese cyber attackers set up a fake Australian publication to mine sensitive information. Photo / Getty Images
Chinese cyber attackers mined Australian computer systems for months, seeking vital information about defence and energy.
American cyber security firm Proofpoint revealed the “Red Ladon” group — said to be linked to the Chinese government — set up a fake Australian publication and attempted to goad Aussie employees connected to sensitive information into clicking a link that infected their computers with malware.
Workers at high-profile media companies, defence and health agencies were reportedly targeted for three months in 2022, particularly throughout the federal election.
The Australian reported the phishing scam was seeking sensitive defence, navy and energy information relating to the South China Sea.
The emails tried to persuade people to visit a website called Australian Morning News, which was a fake news website filled with malware that would allow spies to obtain victims’ data.
Vice-president of threat research and detection at Proofpoint, Sherrod DeGrippo, said Red Ladon (otherwise known as TA423) posed one of the world’s biggest threats to cyber security.
“They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan,” DeGrippo said, admitting early analysis has not yet revealed how successful the scam was.
“This group specifically wants to know who is active in the region and while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.
“Proofpoint blocks these threats when they’re detected in email against our customers. What may happen or damages that may occur if the threat actors get access via another method or if they are attempting delivery via another means is not something we can speak to.”
Proofpoint, working closely with PwC, said Red Ladon hackers have been targeting sensitive information both in Australia and overseas.
“These targets regularly included military academic institutions, as well as local and federal government, defence, and public health sectors,” Proofpoint said in a report.
The shady hacking group also attempted to breach Cambodia’s National Election Commission in the lead-up to the nation’s federal election four years ago.
“Red Ladon’s 2018 ScanBox activity targeting Cambodia involved domains masquerading as news websites and targeted high-profile government entities,” the report said.
“One of the ScanBox server domains used in that campaign, mlcdailynews[.]com, hosted several articles about Cambodian affairs and US and East Asia relations, for which contents were copied from legitimate publications (Khmer Post, Asia Times, Reuters, Associated Press).
“These were likely used as lures in phishing emails to convince targets to follow malicious links to the actor-controlled ScanBox domain.”