According to leading US security firm Proofpoint, Chinese hackers constructed a phoney news website to steal information from Australian government officials, journalists, and others. We look more closely at this watering hole attack, and remind you how to protect your own organisation.
How were the attacks carried out?
Calling itself Australian Morning News, the spoof website fooled a host of Australian MPs. The victims were duped into visiting the malicious website after opening emails purporting to be from various Australian news outlets. Numerous Australian politicians were taken in by the attack.
Articles from BBC News were copied and pasted into the bogus site
Articles on the site were taken from the BBC News website, and then the spoof website, in the form of a watering hole attack, infected the user’s computer with malware.
According to Proofpoint’s assessment, the hackers were working for the Chinese government. Proofpoint’s vice president of threat research and detection, Sherrod DeGrippo, explained this conclusion, saying, “We take attribution very seriously. We specifically don’t release attribution unless we have high confidence. Essentially, a big part of our attribution capability comes from the fact that the United States Department of Justice agrees with the attribution and data that we have released.”
The danger of espionage attempts
According to the report, the group is a China-based, espionage-motivated threat actor that has been active since 2013, targeting a number of organisations in response to political events in the Asia-Pacific area, with a concentration on the South China Sea. Proofpoint claims the hackers were part of the same organisation that the UK’s National Cyber Security Centre prosecuted in 2021.
Proofpoint reported that between April and June, victims got emails from the group that claimed to be from a newly launched news website. After that, they were invited to check out the website and think about contributing articles.
English names and bogus accounts created false sense of confidence
Ms. De Grippo remarked that what she believed was quite new about the watering hole attack was that they went to the trouble of creating phoney media websites, by scraping legitimate sites, including the BBC, in their efforts to appear real. To make their attacks seem more credible, they constructed all these other phoney identities to launch them from. They made up around 50 aliases under which to send messages. All the names that sounded quite English, like you may expect Australians to be called. Names including Daisha Manalo, Blair Goodland, and Bethel Giffen were used, each of which was associated with a different Gmail address.
The bogus news website asked victims to contribute articles
Malware on the bogus site checked the user’s profile, device, and visited websites by installing a programme called Scanbox on the user’s computer. Essentially, Scanbox is an online reconnaissance and exploitation platform.
Although the attack appeared to target those in the energy production industry including those working in offshore energy exploration in the South China Sea, wind turbine production, and alternative energy, it also targeted those in the defence industry and the healthcare and finance sectors.
Consumers normally are not on the radar of Chinese espionage agencies. But everyone in a sensitive position in their professional work, even if they deal with topics like engineering, things that might not appear like state secrets… the reality is China perceives them as secrets and as crucial espionage material.
How do I protect my company from watering hole attacks?
You should use up-to-date browsers and keep your firewalls and antivirus software activated. Consider the sensitive nature of the information your employees or users access and whether or not they have adequate technological safeguards in place to prevent breaches of this nature. The key message is, by the time it reaches a human, it’s truly too late.
Flywheel supports several hundred UK organisations by managing their cyber security solutions including backups, anti malware and anti ransomware, and disaster recovery solutions.
Find out more by reading our cyber security recommendations for businesses, or get in touch using our contact form and tell us what you need.