Full Report
Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool.
Analysis Summary
# Threat Actor: TA423 (Red Ladon)
## Attribution & Identity
* **Identification:** China-based Advanced Persistent Threat (APT) actor.
* **Aliases/Associations:** Known as **Red Ladon**.
* **Affiliation:** Moderately assessed to operate out of Hainan Island, China. Multiple reports and a 2021 US DOJ indictment assess that TA423 provides long-running support to the **Hainan Province Ministry of State Security (MSS)**, which handles Chinese counter-intelligence, foreign intelligence, and industrial/cyber espionage.
## Activity Summary
The actor conducted cyber-espionage campaigns believed to have run from **April 2022 through mid-June 2022**. This activity focused on a watering hole attack designed to plant the ScanBox reconnaissance framework. The campaigns utilized targeted phishing emails with subjects like “Sick Leave,” “User Research,” and “Request Cooperation,” purporting to be from an employee of a fictional entity, the “Australian Morning News.” These emails directed targets to a compromised website (australianmorningnews\[.\]com) that mirrored legitimate news content (e.g., BBC, Sky News), where the ScanBox JavaScript was delivered.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Watering hole attacks initiated via targeted phishing emails.
- **Reconnaissance Execution:** Planted the JavaScript-based **ScanBox** framework upon a visitor accessing the compromised watering hole site.
- **Covert Reconnaissance:** ScanBox avoids planting heavy malware, gathering intelligence solely through browser execution, including **keylogging** functionality.
- **Browser Fingerprinting:** Initial collection of target information: Operating System, language, Adobe Flash version.
- **Network Mapping (WebRTC/STUN):** Used WebRTC and **STUN (Session Traversal Utilities for NAT)** servers as part of **ICE (Interactive Connectivity Establishment)** to map the victim network, enabling direct communication with victims even if they are behind a NAT firewall.
## Targeting
* **Sectors:** Domestic Australian organizations, offshore energy firms in the South China Sea, aviation, defense, education, government, health care, biopharmaceutical, and maritime sectors (based on historical activity detailed in past indictments).
* **Geography:** Organizations in Australia and those operating in the South China Sea region. Historically, they have targeted victims globally, including the US, Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the UK.
* **Victims:** Organizations engaging in activities related to the South China Sea and Taiwan tensions.
## Tools & Infrastructure
* **Malware families used:** **ScanBox** (a multifunctional, customizable JavaScript-based reconnaissance framework).
* **Infrastructure:**
* Watering hole domain: australianmorningnews\[.\]com (Delivered the payload).
* Used third-party **STUN servers** for NAT traversal.
## Implications
TA423 is a highly sophisticated, government-backed espionage group focused on intelligence gathering in strategically important geopolitical areas, particularly those related to the South China Sea and Taiwan. Their reliance on non-malware-based reconnaissance (ScanBox) makes detection challenging, as initial compromise relies only on browser execution. They are expected to continue their intelligence-gathering mission despite recent legal action against associated individuals.
## Mitigations
- Enhance vigilance against spear-phishing emails that claim to link to seemingly innocuous news sites, especially those related to regional politics or news.
- Implement robust Web Content Filtering and Script Blocking to prevent unapproved JavaScript execution, mitigating risk from watering hole attacks.
- Monitor network traffic for suspicious outbound connections characteristic of **WebRTC** and **STUN** usage, which could indicate browser-based network mapping attempts.