According to a top US security company, hackers created fake news websites to gather data from journalists, government officials, etc.
The emails were sent to targets linked to a malicious website and claimed to be from Australian news outlets. Instead, the stolen content from BBC News filled the website, installing malicious codes on the device. According to Proofpoint, it was highly confident that the hackers were teamed with the Chinese government.
Proofpoint threat research and detection vice-president Sherrod DeGrippo said, “We take attribution very seriously.” “We specifically don’t release attribution unless we have high confidence.” “Essentially, a big part of our attribution capability comes from the fact that the United States Department of Justice agrees with the attribution and data that we have released.”
“The reason that we have such high confidence in this particular attribution really goes back to the DoJ indictment, which mentions these defendants and specifically calls out the Proofpoint name identifier of ‘Leviathan.” Proofpoint states that the hackers were a part of a four-member group charged by the US government in 2021, with the UK’s National Cyber Security System saying that it was sure they were linked to the Chinese government.
It further stated that the group was “a China-based, espionage-motivated threat actor that has been active since 2013, targeting a variety of organizations in response to political events in the Asia-Pacific region, with a focus on the South China Sea.”
The Australian Cyber Security System has been asked to respond. The latest hack by the group was between April and June, in which the targets received emails claiming to be someone who started the website. They had been asked to review and write for the website.
Ms. DeGrippo stated, “What I think is quite novel about it is they went so far as to create these fake media websites by scraping legitimate sites, including the BBC, in their efforts to appear real.” “And further, they created multiple identities that they were sending from. “There’s about 50 of them… all of the very Anglo-styled names you might imagine Australians to be named.”
“They created all sorts of pseudo identities to launch the attack, making them more believable.” “The fake names – each with their unique Gmail address – included Daisha Manalo, Blair Goodland, and Bethel Giffen.” The website would then infect the target’s system using a tool called Scanbox which would help check the victim’s profile, the visited web pages, and the device.
Ms. DeGrippo added, “Scanbox essentially is a web reconnaissance and exploitation framework.” “When we think about that, in conjunction with the actor who is a China-based espionage group, it makes sense.”
The attack seemed to focus on people in energy production, like offshore energy exploration in the South China sea, alternative energy, and wind turbine manufacture, along with defense contractors and individuals in financial services and health care. Ms. DeGrippo says, “Consumers generally are not on the radar of Chinese espionage services.”
“However, anyone who has a sensitive role within their professional employment, even if they’re dealing with things such as engineering, things that might not seem like state secrets… the reality is China sees them as secrets and as important espionage information.” “People should ensure their browsers were updated, and firewall and antivirus software turned on.”
She said, “Organisations professionally must think about the kinds of data their employees have access to and if they have the correct technological means in place to protect their employees from these kinds of attacks.”
“By the time it gets to a human, it’s too late.”