Chinese Hackers Use SandBox Framework To Target Multiple Governments, Businesses In South China Sea

Chinese hackers have reportedly targeted governments in Australia, Malaysia and Europe, as well as businesses that operate in the South China Sea, cybersecurity researchers said Tuesday. China-based hacker group APT40, which is also known as TA423, Leviathan and by several other names, is reportedly behind the cyberattack.

Cybersecurity firm Proofpoint in a blog post said that it, along with the PwC Threat Intelligence team, jointly identified the campaign, active from April through June. The report said the hackers, posing as an Australian news website, delivered the ScanBox exploitation framework to targets who visited a malicious domain.

The group has targetted governments and organizations, specifically seeking information related to the disputed South China Sea. Entities targeted by the group include global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the water body.

China claims large parts of the South China Sea under what it calls the nine-dash line, but there are also overlapping claims by other littoral states. China has occupied some of the disputed islands and militarized them, and regularly sends its ships and fishing fleet into some of the other disputed islands, keeping the disputes simmering.

According to a report in Security Week, ScanBox framework is designed for reconnaissance missions, which uses "plugins" to collect "various pieces of information on the visitors of targeted websites." Information picked up by the plugins include details on visitors' computers and the software they are running. The tool is also reported to include "keylogging functionality" that records "all the keystrokes performed by users while visiting a site."

In its report, Proofpoint said these attacks started with phishing emails from Gmail and Outlook email addresses, posing as an employee of a fictional media publication called "Australian Morning News," with a variety of subjects including "Sick Leave," "User Research" and "Request Cooperation." The email solicited victims to visit malicious domains to view its website or share research content that the website was purportedly seeking to publish. Upon clicking the link, it would redirect the victim to a site that served the ScanBox framework.

The report said that although the emails were not impersonating any existing Australian media publication, it did copy content from legitimate news publications (including the BBC and Sky News), which was then displayed when victims navigated to the website.

Chinese hacker groups have been active in the recent past. In December, Microsoft reported that it had disrupted a China-based hacking group called Nickel that targeted organizations in the U.S. and 28 other countries around the world.

During that period, another U.S.-based private cybersecurity company reported that Chinese hackers, likely state-sponsored, have been broadly targeting government and private-sector organizations across Southeast Asia, including those closely involved with Beijing on infrastructure development projects in China.