According to a major US security company, hackers created a fake news website to collect data from Australian government officials, journalists and others.
The targets received emails claiming to be from Australian media, linking them to a malicious website.
The website, populated with articles stolen from BBC News, would then install malicious code on their device.
Proofpoint said he had “great confidence” that the hackers were aligned with the Chinese government.
“We take attribution very seriously,” said Sherrod DeGrippo, vice president of research and threat detection at Proofpoint.
“We only specifically release the attribution if we have high confidence.
“Essentially, a lot of our attribution ability comes from the United States Department of Justice agreeing with the attribution and the data that we have released.
“The reason we have such great confidence in this particular attribution really goes back to the DoJ indictment, which mentions these defendants and specifically calls out the Proofpoint name identifier of ‘Leviathan’.”
“Threat motivated by espionage”
Proofpoint said the hackers were part of a group of which four members were charged by the US in 2021, when the UK’s National Cyber Security Center said it was “almost certain” that they were linked to the Chinese government.
He said the group was “a China-based, espionage-driven threat actor that has been active since 2013, targeting various organizations in response to political events in the Asia-Pacific region, with a focus on the Sea of Southern China”.
The Australian Cybersecurity Center has been approached for comment.
During the group’s last hack, between April and June, victims received emails claiming to be from someone who had started a news site, Proofpoint said.
They were then asked to review the site and consider writing for it.
“What I think is quite new about this is that they have gone so far as to create these fake media websites, scraping legitimate sites including the BBC in their effort to look real,” Ms. DeGrippo said.
“And on top of that, they created multiple identities that they were sending from.
“There are about 50…all the very Anglo-Saxon names you could imagine Australians going by.
“They created all these sorts of pseudo-identities to launch the attack, which makes them more believable.”
Fake names – each with their own unique Gmail address – included Daisha Manalo, Blair Goodland and Bethel Giffen.
The fake website was filled with malware that would infect the victim’s computer with a tool called Scanbox, checking their profile, device, and visited web pages.
“Scanbox is essentially a web-based reconnaissance and exploitation framework,” DeGrippo said.
“When you think about it, in conjunction with the actor being a China-based spy group, it makes sense.”
The attack appeared to focus on people involved in energy production, such as offshore energy exploration in the South China Sea, wind turbine manufacturing and alternative energy, but also defense contractors and people involved in health and financial services.
“Consumers are generally not on the radar of Chinese spy services,” Ms. DeGrippo said.
“However, anyone who has a sensitive role in their professional job, even if they are involved in things like engineering, things that might not seem like state secrets…the reality is that China regards them as secrets and as important spy information.
People should make sure their browsers have been updated and that firewall and anti-virus software are enabled, Ms DeGrippo said.
But she added: “Business organizations need to think about what types of data their employees have access to and whether they have the appropriate technological means in place to protect their employees against these types of attacks.
“By the time it gets to a human, it’s really too late.”