In early September 2022, all across the country, hundreds of Australian energy officials received the same email. On the surface, it looked legitimate to the average person, with an Australian-sounding name saying they were a representative of a modest newspaper called the Australian Morning News and that they were looking for feedback on their articles. Even in some cases, they stated that they wanted to offer the recipients the honor of writing an article for the newspaper.
The link on the website seemed trustworthy enough, after all, upon redirection, it showed tons of news stories about a wide range of topics. Impressive, right? However, what looked like just a harmless link to their newspaper turned out to be something much bigger and invasive. Instead, those hundreds of people unknowingly likely invited a state-backed covert cyber group operation to access everything, and opened up a massive backdoor to Australia's most coveted resources.
How They Targeted Officials
On April 8, 2022, a new domain was registered. It was entitled australianmorningnews[.]com, supposedly for a new and upcoming newspaper, the Australian Morning News, covering the hottest topics in Australia and abroad. The site, though, was deceptive. Although it did feature numerous articles that targeted Australia, the articles were scraped by extracting data from legitimate websites to simulate real BBC articles.
A few days later, a seemingly innocuous email was sent out to hundreds of Australian energy officials. Each singular person received a different email coming from either Gmail or Outlook, and the subject line was usually "Request Cooperation". Emails would claim that the newspaper was seeking feedback or that they wanted help writing articles - after all, they were new to the game. Inside each email was an even greater threat - a link.
Each and every single article link was unique. With the news website ending in ?p=23-
The Technical Infrastructure Behind It
After the unsuspecting victim visits the website, perhaps looks around through some articles, they would get infected with a tool called ScanBox. While not dropping executable files like traditional malware would, it instead executes directly on the browser. It wasn't like ScanBox was entirely new either to doing this - the JavaScript-based reconnaissance and exploitation tool had targeted other victims in attacks in a similar way.
So, what did ScanBox do upon infecting the browser? Well, after identifying the visitor, the visitor's system, and their browser configurations, it loaded modular JavaScript plugins. Instead of delivering JavaScript payloads of scripts in a singular block, which would've led to crashes and errors that would tip off the owners of the device, modular plugins avoided detections and browser crashes to evade suspicion.
The main payload then launched, loading in configuration data and identifying which plugins were set to run, and finally pointing the browser to a C2 (also known as Command Control) server, which went under the hxxp://image.australianmorningnews[.]com/i/ so the threat actor could communicate to add additional plugins for follow-on-exploitation.
The Modular Plugins
The modular plugins chosen for the attack gathered each and every type of information they could:
- Keylogger plugin - Would insert an invisible iframe on the page, capturing every keystroke made, like login information
- Fingerprinting plugin - Collected browser type, installed browser plugins to specifically look for secret apps used by the victims
- Peer connection plugin - Initiated WebRTC protocols through STUN/ICE to determine the private IP addresses
- Security plugin - Scanned for signs that the user had the anti-virus software Kaspersky, so it could avoid sandboxing
Who Was Behind It?
Attribution for the attack didn't take long, and it all goes back to a known name. Multiple government officials or people working in a specific trade tend to be hacked by state-backed operatives. As it was found out a few months after the attack, the attribution of the attack was to a group named Red Ladon, also known as TA243/APT40. Officially acting on behalf of China as a state-backed covert cyber operations group, they have been carrying out similar attacks since 2013.
Most energy officials were likely targeted because they did energy exploitation in the South China Sea. So, in the end, it is just another example of an ever-increasing trend of cyber espionage. Deep surveillance can happen to anyone in high-value positions. Given this, it is always recommended to adopt browser isolation tools and network monitoring.
