Government officials have reacted with concern after a Chinese government-affiliated hacking group was caught impersonating Australian media organisations to target military, government, and public health organisations with information-stealing ScanBox malware.

The activities of the Chinese government-linked group, known by some as TA423/Red Ladon and others as APT40, have been monitored for several years in numerous countries as it targets countries with Belt and Road Initiative-related interests.

This year, a two-month campaign against Australian targets – including local and federal government agencies, news media, and manufacturers that maintain wind turbines in the South China Sea – drove cyber security researchers at Proofpoint and PwC to call out the group’s activities.

Targets would receive an email, for example alleging to be from a “humble news website” called Australian Morning News – in reality, a site run by the criminal group that scraped content from sites such as the BBC and Sky News – and requesting they click on a link to provide their feedback.

Clicking the link would install ScanBox, a suite of surveillance tools that first appeared in 2014 and has been used in a variety of contexts including the targeting of China’s Uyghur minority, infecting the US National Foreign Trade Council in 2017, and snooping on Cambodia’s 2018 election.

ScanBox – which Proofpoint says “has been reported more sporadically since its first appearance in 2014 [but] remains a tool available to China-based threat actors to selectively deploy in campaigns” – sends the cybercriminals detailed information about infected systems, allowing cybercriminals to exploit vulnerabilities in software or operating systems so they can infect it with ransomware, key loggers, data-stealing, or other malware.

The content of the emails and the use of malicious URLs echoed a similar campaign last September, Proofpoint noted, in which APT40 impersonated The Australian and Herald Sun to target Australian interests.

It’s part of an ongoing campaign that, Proofpoint noted, has seen Red Ladon “targeting entities directly involved with development projects in the South China Sea, closely around the time of tensions between China and other countries related to development projects of high strategic importance.”

The nation-state threat is already here

Australian officials reacted to the news with concern, with Shadow Minister for Cyber Security Senator James Paterson expressing “deep concern” about the reported targeting of “sensitive” Australian organisations.

“These actions, if corroborated by our security agencies, represent a significant threat to our institutions and our democracy,” he said, calling on the government “’to use every available resource to investigate this serious alleged cyber incident… including using specially designed ‘cyber sanctions’ to send a clear message that these kinds of actions are not acceptable.”

Amidst a climate of escalating geopolitical tensions, concerns about escalating nation-state activities – initiated by China and others – have raised alarms amongst Australian companies that now recognise they can easily suffer collateral damage from conflicts half a world away.

A recent Venafi survey of 1,100 security decision makers found that 69 per cent of Australian organisations – more than the 64 per cent global average – believe they have been directly targeted or impacted by a nation-state cyberattack.

Fully 79 per cent believe they are operating in a perpetual state of cyber warfare, with 65 per cent reporting that Russia’s invasion of Ukraine had driven more conversations with their board and senior management about this risk.

“Cyberwar is here,” said Kevin Bocek, vice president for security strategy and threat intelligence with Venafi. “It doesn’t look like the way some people may have imagined that it would, but security professionals understand that any business can be damaged by nation states.”

“The reality is that geopolitics and kinetic warfare now must inform cyber security strategy,” he continued, adding that “everyone is a target – and unlike a kinetic warfare attack, only you can defend your business against nation-state cyberattacks.”

State-sponsored Chinese hacking groups have earned a worldwide reputation for actively targeting other countries, with security firm Crowdstrike last year attributing two-thirds of nation-state cyber activity to the country’s hacking groups and recently noting that Chinese cybercriminals’ use of vulnerabilities had increased sixfold in 2021.

Last year, for example, the US Department of Justice indicted four Chinese nationals – said to be part of the APT40 group – for corporate espionage campaigns that included hacking companies, universities and government entities in a dozen countries to steal R&D data.

“China continues to use cyber-enabled attacks to steal what other countries make,” deputy attorney general Lisa Monaco said at the time, “in flagrant disregard of its bilateral and multilateral commitments…. The world wants fair rules where countries invest in innovation, not theft.”