Chinese hackers likely targeted energy companies operating in the South China Sea and Australia’s government, according to a US tech security firm, the latest accusation of coordinated cyber snooping by the Asian giant to advance its geopolitical goals.

Researchers uncovered an ongoing phishing campaign lasting more than a year that has been aimed at projects including the Kasawari gas field and a wind farm in the Taiwan Strait, Proofpoint Inc. said in a report on Tuesday. The gas project is in Malaysian waters and operated by Petroliam Nasional Bhd., which declined to comment on the research report. Petronas did say it follows best practices to protect its assets and operations.

Proofpoint said it had “moderate confidence” that the hacking was being performed by a group called TA423, adding it is based in China and motivated by espionage.

The US government and cybersecurity companies have long alleged that China runs expansive hacking operations. In July, Federal Bureau of Investigation Director Christopher Wray warned Western companies that China aims to “ransack” their intellectual property so it can eventually dominate key industries. It operated a “lavishly resourced hacking programme that’s bigger than that of every other major country combined,” he said.

China routinely denies the accusations, saying it is a victim of cyberattacks and countering that the US is the “empire of hacking”. The Foreign Ministry in Beijing didn’t immediately respond to a request for comment on Tuesday.

China claims more than four-fifths of the South China Sea as its own, angering Malaysia, the Philippines and Vietnam. The body of water is one of the world’s busiest shipping routes, and the US estimates that more than 30 per cent of the global maritime crude oil trade passes through it.

Proofpoint said that emails used in the phishing campaign against the Australian government impersonated media organisations including The Australian and Herald Sun to deliver ScanBox malware. PwC Threat Intelligence, which assisted Proofpoint in its research, “assesses it is highly likely that ScanBox is shared privately amongst multiple China-based threat actors,” its report said.

News Corp. representatives in Australia didn’t immediately respond to a request for comment.

Proofpoint said a ScanBox campaign running from April to June targeted agencies of the Australian government at both the local and federal level. An earlier phishing effort was centred on a European maker of heavy equipment for a wind farm in the Taiwan Strait, the report added.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said TA423’s “focus on naval issues is likely to remain a constant priority in places like Malaysia, Singapore, Taiwan and Australia.”

Bloomberg report in SCMP, Aug 31, 2022

https://www.scmp.com/news/asia/australasia/article/3190775/south-china-sea-us-firm-accuses-chinese-hackers-targeting?module=lead_hero_story&pgtype=homepage