Proofpoint, PwC Threat Intelligence detail cyber espionage campaign with global targets

Source: Proofpoint. A timeline of detected phishing activity involved in the ongoing TA423 campaign from May 2021 – June 2022.

Proofpoint and PwC Threat Intelligence have jointly identified a cyber espionage campaign, sustained phishing campaign, running for over a year and currently ongoing, that delivered the ScanBox exploitation framework to targets who visited a malicious domain posing as an Australian news website. The targets of the campaign spanned Australia, Malaysia, and Europe, as well as entities that operate in the South China Sea.

The joint efforts of Proofpoint and PwC researchers provide a moderate confidence assessment that recent campaigns targeting the federal government, energy, and manufacturing sectors globally may represent efforts by China-based TA423 / Red Ladon.

TA423 / Red Ladon is a espionage-motivated threat actor that has been active since 2013, targeting defense contractors, manufacturers, universities, government agencies, legal firms involved in diplomatic disputes, and foreign companies involved with Australasian policy or South China Sea operations, the two companies said. 

In a blog post on the Proofpoint website, Michael Raggi and Sveva Scenarelli at PwC noted that TA423 has targeted entities directly involved with strategic development projects in the South China Sea around the time of tensions between China and other countries. Such projects include the Kasawari Gas field developed by Malaysia, and an offshore wind farm in the Straits of Taiwan.

Sherrod DeGrippo, VP of Threat Research and Detection at Proofpoint said: “TA423 is one of the most consistent APT actors in the threat landscape. They support the Chinese government in matters related to the South China Sea, including during the recent tensions in Taiwan. This group specifically wants to know who is active in the region and, while we can’t say for certain, their focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan, and Australia.”

APT refers to advanced persistent threats.

Proofpoint and PwC expect TA423 / Red Ladon to continue pursuing its intelligence-gathering and espionage mission primarily targeting countries in the South China Sea, as well as further intrusions in Australia, Europe and the US, the blog authors said.