Red Landon Cyber Espionage Campaign

A cyberespionage group from china dubbed TA423 (aka Red Landon or APT 40) has been seen targetting Australian officials with reconnaissance malware called Scanbox to steal details about the victims hackers could use to execute more targeted strikes.

The cyberespionage campaign that focused on government, energy and manufacturing personnel in the Asia-Pacific region deployed phishing emails directing targets to a fake news outlet.

Advertisements

Active since 2013, with a primary focus on the South China Sea, but known to have victims across the globe. In 2021, the Department of Justice tied APT40 to China’s Ministry of State Security.

The hacking group in recent campaign appeared to focus on global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea. In the previous campaign back in 2018 it targetted Cambodia.

The phony “Australian Morning News” news site contained images and stories lifted from legitimate news organizations, With subject lines such as “Sick Leave,” “User Research” and “Request Cooperation,” the phishing emails initiated with the sender was starting a “humble news website” and wanted feedback.

The ScanBox allows attackers to log keystrokes and to collect a range of information about victims to better calibrate future exploitation, such as software versions and configurations, operating system details, browser versions.

Back in February 2021, researchers observed another Chinese-aligned group, TA413, using Scanbox to target Tibetan organizations globally.