Back to Insights
Threats5 min read3 July 2026

Fake News, Real Damage: How China's TA423 Used a Bogus Australian Website to Spy on Energy Workers

A state-linked espionage group spent two months running a fictitious news outlet to silently harvest keystrokes from offshore energy employees — no malware download required.

t2s
train2secure NewsdeskSecurity awareness team
A photoreal editorial scene showing a dimly lit open-plan office at night, multiple monitors glowing with news website i

A Chinese state-linked hacking group ran a two-month cyber-espionage campaign from April through mid-June 2022, using a fake Australian news website to silently record the keystrokes of workers at offshore energy companies operating in the South China Sea.

Who Is TA423 — and Why Should Energy Companies Care?

The group goes by several names: TA423 in Proofpoint's tracking system, Red Ladon elsewhere. Researchers assess it operates out of Hainan Island, China. A July 2021 U.S. Department of Justice indictment tied the group to China's Ministry of State Security — the country's civilian intelligence apparatus — and identified victims across twelve countries and sectors including aviation, defence, healthcare, and maritime shipping.

This campaign added offshore energy to that list. The targets were employees at companies with operations in the South China Sea, as well as organisations inside Australia itself. Proofpoint's Sherrod DeGrippo stated that the group "specifically wants to know who is active in the region," with sustained focus on naval and energy activity near Malaysia, Singapore, Taiwan, and Australia. The strategic logic is obvious: the South China Sea is one of the world's most contested maritime zones, and knowing which companies are drilling, shipping, or contracting there is intelligence of significant value to a nation-state actor.

The Attack: A Phishing Email and a Newspaper That Never Existed

The intrusion chain started simply. Targets received emails with subject lines like "Sick Leave," "User Research," or "Request Cooperation." Each message appeared to come from a journalist at a publication called the "Australian Morning News." The ask was benign-sounding: visit our website.

The website — australianmorningnews[.]com — looked credible. Its articles were scraped word-for-word from the BBC and Sky News. Nothing about the page screamed danger. But while visitors read the headlines, the site was already running ScanBox silently in the background.

ScanBox is a surveillance framework written in JavaScript. That matters for one specific reason: it installs nothing. No file lands on the victim's machine. No antivirus alert fires. The code runs entirely inside the browser tab, collecting everything a visitor types — passwords, search terms, form entries — and transmitting that data back to attacker-controlled infrastructure.

The toolkit went further than simple keylogging. It profiled each visitor's operating system, browser version, and installed plugins. Using a web technology called WebRTC, ScanBox could also recover a visitor's real IP address even when they sat behind a corporate network gateway intended to obscure it. Victims filled out a detailed intelligence form without ever knowing it existed.

Why Traditional Defences Missed This

This is where the incident becomes a genuine teaching moment for defenders. ScanBox's file-less design is the first control failure to examine. Endpoint detection tools — antivirus, EDR platforms — are built around the concept of detecting malicious files or processes. When an attack lives entirely inside a JavaScript runtime within a sanctioned browser session, those tools have nothing concrete to flag. The attack surface shifted from the endpoint to the browser itself, and most organisations have significantly less visibility there.

The second failure is in the phishing chain. The lure emails used plausible social contexts — a journalist seeking cooperation, a request about leave — rather than obvious urgency scams. Vague subject lines are a known red flag, but they're only a red flag if employees have been trained to recognise them. The 2023 Verizon Data Breach Investigations Report found that the human element contributed to 74% of all breaches analysed; campaigns like this one illustrate exactly why. Workers who regularly practise identifying phishing lures — not just reading a policy document once a year — are meaningfully harder to manipulate. That kind of repetitive, scenario-based training is precisely what security awareness programs at Train2Secure are designed to deliver.

A third gap: even if credentials were captured through ScanBox's keylogger, multi-factor authentication would have blunted the downstream damage significantly. MFA doesn't prevent the keylogger from running — nothing about enforcing a second factor stops JavaScript executing in a browser tab. But it does mean that a harvested password alone is insufficient to access corporate systems. That single control sharply limits what attackers can do with captured credentials before defenders notice something is wrong.

What Defenders Should Do Now

Researchers from both Proofpoint and PwC noted that despite the 2021 DoJ indictment naming key TA423 operators, the group has not meaningfully curtailed its activity. Indictments of foreign nationals operating inside allied adversary states rarely produce arrests. Naming is a diplomatic and deterrence tool; it is not a security control.

Organisations in the energy, maritime, defence, and government sectors — particularly those with any operational footprint near the South China Sea — should treat TA423 as an active, ongoing threat.

For practical next steps, security teams should review their alignment with recognised standards including NIST SP 800-53 controls around awareness and training (AT family) and access management. Specific actions worth prioritising:

  • Browser-layer visibility: Deploy browser isolation or content inspection tools capable of analysing JavaScript behaviour in real time, not just file-based payloads.
  • Phishing simulation with sector-specific lures: Generic phishing tests rarely replicate the social engineering sophistication of APT groups. Scenarios should include fake professional outreach, industry-relevant subject lines, and lookalike domains.
  • MFA everywhere, without exceptions: Any internet-facing application, VPN, or email platform that lacks MFA is a direct path from a stolen password to a breach.
  • DNS filtering and domain categorisation: A newly registered domain posing as a news outlet with no history should trigger a review before employees ever reach it. Many DNS filtering solutions flag domains registered within the past 30 days.
  • Incident response drills that include browser-based attacks: Tabletop exercises often focus on ransomware or data exfiltration via file transfer. Teams should also rehearse responding to watering-hole and drive-by browser attacks.

TA423 operates with patience. The fake Australian Morning News domain was likely active and tested for weeks before the first phishing email was sent. Defenders rarely have the luxury of that kind of preparation time — which is why building trained human instincts is as important as any technical control.

For organisations evaluating where to start, Train2Secure's pricing page outlines programme options built for teams of varying sizes and maturity levels.

How This Attack Could Have Been Stopped Earlier

  • Train employees with scenario-based phishing simulations that replicate APT-style lures — professional outreach, industry-relevant subject lines, and lookalike domains — not just generic scam emails.
  • Enforce MFA on every internet-facing application so that harvested passwords cannot be used directly, even when keyloggers capture them.
  • Deploy DNS filtering to block newly registered domains before employees ever reach a malicious watering-hole site.

Train2Secure's security awareness programmes include sector-specific phishing simulations designed to build exactly the human instincts that technical controls alone cannot replace.

Start free — no card required

Frequently asked questions

What is ScanBox and why is it hard to detect?

ScanBox is a surveillance framework written in JavaScript that runs entirely inside a victim's browser tab. Because it installs no files and triggers no conventional download, most antivirus and endpoint detection tools have nothing to flag. It records keystrokes, browser details, installed plugins, and can even reveal a user's real IP address through WebRTC.

Who are TA423 and Red Ladon?

TA423, also tracked as Red Ladon, is a Chinese state-linked hacking group assessed to operate from Hainan Island. A July 2021 U.S. Department of Justice indictment linked the group to China's Ministry of State Security. Their known targets span twelve countries across aviation, defence, maritime, healthcare, and energy sectors.

Would multi-factor authentication have stopped this attack?

MFA would not have prevented ScanBox from running in a browser or stopped it from recording keystrokes in real time. However, MFA significantly limits what attackers can do with any passwords they capture: a harvested credential alone is not enough to log into MFA-protected systems, reducing the blast radius of the attack considerably.

How can organisations detect watering-hole attacks like this one?

Key controls include DNS filtering that flags newly registered or uncategorised domains, browser isolation technology that analyses JavaScript behaviour rather than just files, and phishing awareness training that teaches employees to treat unsolicited requests to visit external websites as suspicious — regardless of how professional the email looks.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress