Threat Insight Profile picture
Nov 10, 2022 7 tweets 5 min read Read on X
Congratulations to @threatinsight researcher @aRtAGGI for presenting his research today at @CYBERWARCON, which links #Leviathan #TA423 #RedLadon campaigns against offshore energy companies in the #SouthChinaSea to kinetic maritime operations conducted by the Chinese Coast Guard! ImageImage
Researchers at @proofpoint identified RTF template injection campaigns from June 2021 - March 2022 targeting hydrocarbon exploration & offshore energy sectors just before Chinese Coast Guard intervention at key sites indicating a tie between cyber espionage & manned maritime ops. Image
A full technical analysis of this years-long cyber espionage operation was published earlier this year alongside talented guest author @cyberoverdrive! ow.ly/wLSW50LzmpM
Key technical & temporal correlations may indicate that Leviathan as a CN MSS contractor, may be servicing the intelligence needs of the CN Coast Guard. The 2021 CCG Law requires the CCG to patrol and prevent foreign energy operations in contested waters of the South China Sea. ImageImage
Contested sovereignty claims in the South China Sea have given rise to increasing grey-zone conflict in the region, which now clearly include the support of known nation-state APT actors. Image
While the most prominent case of kinetic maritime support was observed in Malaysia, Leviathan also was seen targeting the supply chain of Taiwanese windfarms in March 2022. Image
With the global #offshoreenergy sector growing in the #SouthChinaSea and grey-zone conflict expanding, @threatinsight forecasts that known APTs will continue to conduct cyber espionage in the region in the future.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Threat Insight

Threat Insight Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @threatinsight

Nov 2, 2022
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
Read 5 tweets
Jun 3, 2022
Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.
This campaign masqueraded as a salary increase and utilized an RTF (242d2fa02535599dae793e731b6db5a2) with the exploit payload downloaded from 45.76.53[.]253. Image
The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script (dbd2b7048b3321c87a768ed7581581db) from seller-notification[.]live.
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(