A Chinese-backed hacking group—posing as an Australian news site—has run a systematic campaign targeting government agencies, news media, and heavy industries involved in wind turbine supply chains to the South China Sea.
The group, TA423/Red Ladon, was previously the subject of an indictment from the U.S. Justice Department and has been active since 2013, targeting defence contractors, manufacturers, universities, government agencies, and companies connected to either the South China Sea region or Australasia.
Its latest cyber espionage campaign, from April to June 2022, involved emailing targets from a Gmail or Outlook address—likely created by the hacker group—with subject headers like: “Sick Leave,” “User Research,” and “Request Cooperation.”
According to research from Proofpoint and PwC Threat Intelligence, the email claimed to be from a “humble news website” and tried to solicit feedback while providing a link to a fake news outlet called “Australian Morning News.” Users that click on the web page would then be delivered malware.
“The campaign has an international reach, but a heavy focus on the Asia Pacific region, Australian governmental entities, and companies and countries operating in the South China Sea,” the researchers said.
“In particular, Proofpoint has observed TA423/Red Ladon targeting entities directly involved with development projects in the South China Sea closely around the time of tensions between China and other countries related to development projects of high strategic importance, such as the Kasawari Gas field developed by Malaysia, and an offshore wind farm in the Strait of Taiwan.”
A Wide Range of Targets
Experts say the group repeated the same tactic during the Cambodian elections in 2018 and September 2021.
“[From June 2021 to May 2022] Australian targets regularly included military academic institutions, as well as local and federal government, defense, and public health sectors,” the researchers added.
“Malaysian targets included offshore drilling and deep-water energy exploration entities as well as global marketing and financial companies. Several global companies were also targeted that appear to relate to the global supply chains of offshore energy projects in the South China Sea.”
They include heavy industry, manufacturers of wind turbine installation components, exporters of energy, large consulting firms providing advice on the projects, and construction companies.
“This threat actor has demonstrated a consistent focus on entities involved with energy exploration in the South China Sea, in tandem with domestic Australian targets including defense and health care.”
Australian Senators Simon Birmingham and James Paterson—who is also the shadow minister for cyber security—responded to the incident saying it was a “significant threat” to local institutions.
“We call on the government to provide clear advice to Australian individuals and businesses about how they can protect themselves against this kind of malicious cyber activity, that has the potential to cause serious harm to our national security,” they said in a statement.
“All options should be on the table for consideration, including using the specially designed ‘cyber sanctions’ that are contained within Australia’s Magnitsky Autonomous Sanctions Regime to send a clear message that these kinds of actions are not acceptable.”