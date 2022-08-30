It looks like industrialised cyberattacks are headed downmarket.

US cyber security vendor Proofpoint has pointed the finger at Chinese state-sponsored actors as the protagonists of a series of so-called ‘watering hole’ cyberattacks on Australian government and media organisations that were baited by a copycat news website featuring content stolen from agencies including Reuters and the BBC.

While the specific Australian companies and agencies targeted by the attacks are not specified in the report, the security firm has published the typology and fingerprints of the attacks, which used a combination of targeted phishing and controlled websites made to look like republished content.

As usual, government agencies were a target, including local governments.

“Proofpoint assesses with moderate confidence that the campaigns were conducted by the China-based, espionage-motivated threat actor TA423, which PwC tracks as Red Ladon and which also overlaps with ‘Leviathan,’ ‘GADOLINIUM,’ and ‘APT40’,” Proofpoint and PWC said in its report.

The attacks risk attribution against the likelihood of exfiltrating useful intelligence or otherwise unobtainable intellectual property on an industrial scale.

TA423 and its affiliates are already well known to Australian intelligence agencies, with the Australian Signals Directorate (ASD) and Department of Home Affairs’ Critical Infrastructure putting out an advisory on observed “tactics, techniques and procedures (TTPs)” in 2020.

“The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor. This activity represents the most significant, coordinated cybertargeting against Australian institutions the Australian Government has ever observed,” ASD said at the time.

In those attacks, says ASD, “the actor was identified making use of compromised legitimate Australian websites as command and control servers. Primarily, the command and control was conducted using web shells and HTTP/HTTPS traffic. This technique rendered geo-blocking ineffective and added legitimacy to malicious network traffic during investigations.”

What appears to have changed is that the state-sponsored exfiltrators have now moved on to setting up free websites that look and feel like roboticised republishing exercises that attract traffic through brazen recycling.

READ MORE:

Government cyber left wanting, warns official industry advisor CSIAC