Last August, Proofpoint, a leading cybersecurity firm based in California, published a report about an unusual phishing operation in the South China Sea. The campaign, which reportedly ran from March 2021 to June 2022, was aimed at offshore energy companies operating in the Kasawari gas field off the coast of Sarawak in Malaysia.
Companies involved with the offshore project received emails containing links to a seemingly legitimate Australian news website. Clicking on the links, however, activated a malware called ScanBox, giving the hacker a degree of control over the victim’s computer, including the ability to monitor keystrokes and browser activity.
Who was behind the attack? The authors assessed with “moderate confidence” that the hacking had the signature of a cyber espionage group known as TA423/Red Ladon or APT40. Based in Hainan, the “threat actor” is said to have links to China’s Ministry of State Security.
What was the reaction in Malaysia to an alleged cyberattack on a flagship energy project?
Petronas, the state-owned company which operates the offshore gas field, declined to comment but said the company was protected against online attacks. The cyber scoop received remarkably little coverage in the local media and did not figure on a list of significant data breaches, which included hackings at the Election Commission, Maybank (Malaysia’s largest bank), and Malaysia Airlines. Only MyCERT, the country’s cyber watchdog, issued an advisory about APT40 in November, warning that the group’s goal was “exfiltration” of “proposals, meetings, financial data, shipping information, plans and drawings, and raw data” relating to government-sponsored projects.
Malaysia’s muted response may reflect the country’s policy of non-confrontation on any issues relating to the South China Sea. For example, when China Coast Guard vessels enter coastal waters, the Royal Malaysian Navy employs a “shadowing” tactic without overtly challenging the boats or forcing them to leave. From Malaysia’s standpoint, a major trading partner like China should be allowed room to blow off steam. “Malaysia’s redline is any physical interference with its exploitation activities,” wrote Emirza Adi Syailendra, a research fellow in strategic studies at the S. Rajaratnam School of International Studies. Further, Western powers like the United States and Australia are discouraged from getting involved.
In a State of Asia podcast from 2021, author Ben Bland observed: “We see Malaysia often trying to play down the nature of these disputes to cover up incidents. Whereas countries like Vietnam and the Philippines at different times have played a much more aggressive strategy.”
The elephant in the room is China’s controversial “nine-dash line,” which covers approximately 90 percent of the South China Sea, bumping up against the Exclusive Economic Zones of neighbors and trading partners. As defined by the 1982 United Nations Convention on the Law of the Sea (UNCLOS), countries can engage in economic activities within 200 nautical miles of their shoreline. China was one of the first signatories to UNCLOS but has rejected aspects of the law, including a 2016 tribunal verdict that ruled in favor of the Philippines.
The 3.5 million square kilometers maritime zone is a highly contested space and home to some of the world’s busiest shipping lanes, resource-rich islands, lucrative fishing grounds, and a potential energy bonanza: 11 billion barrels of oil and 190 trillion cubic feet of natural gas. The South China Sea is on par with energy-rich Venezuela in gas reserves alone.
“(Almost) everyone is drilling inside the nine-dash line,” read the headline of a recent commentary from the Center for Strategic and International Studies (CSIS) in Washington, D.C. Malaysia was among the most active in exploration, having made several oil and gas discoveries in the last decade. As one of the busiest hubs of drilling activity within the nine-dash line, the Kasawari gas field became a natural focal point for the China Coast Guard’s monitoring activities.
Given its strategic and economic importance, the gas field was the target for some notable “gray zone” tactics in 2021. On June 1 of that year, when the assembly of the wellhead platform was underway, 16 Chinese aircraft “flying in tactical formation” were spotted off the coast of Sarawak. Malaysia scrambled fighter jets to intercept the transport planes. Foreign Minister Hishammuddin Hussein lodged a complaint with Beijing about the “breach of Malaysian airspace and sovereignty.” China’s Ministry of Foreign Affairs played down the incident, calling it a “routine training operation.” Hussein later spoke with China’s defense minister and underlined the “need to exercise self-restraint” in the South China Sea.
Phase one of the phishing campaign began one day after the aircraft incident. According to Proofpoint, four entities directly involved with the Kasawari project were targeted, leading the authors to suggest that “this project in the South China Sea was highly likely an area of priority interest for the threat actor.” The report predicted that the phishing campaign would continue as long as the offshore exploration companies were active in the area.
Scheduled to begin production in 2023, Kasawari is one of 19 new energy projects slated to push Malaysia into the top ranks of natural gas exporters. According to a Fitch Solutions report on the oil and gas industry, “The successful implementation of its planned offshore pipeline will make Malaysia among the outperformers in Asia in terms of gas production growth over the next three to four years.”
Why did hackers go after the offshore companies at Kasawari? Red Ladon’s tell-tale IP addresses could provide a clue to its intentions. Operating near Yulin Naval Base in Hainan, the group gathers intelligence to further China’s strategic objectives, including monitoring maritime partner countries in the Belt and Road Initiative. In 2019, researchers at the U.S.-based cybersecurity firm Mandiant (now owned by Google) wrote: “We believe APT40’s emphasis on maritime issues and naval technology ultimately support China’s ambition to establish a blue-water navy.”
The ongoing phishing campaign, however, seems to have a commercial rather than a military focus. Beijing views the South China Sea as a shared space for energy exploration, particularly within the nine-dash line. In 2018, state-owned China National Offshore Oil Corporation invited “all oil and gas companies” to “jointly invest and operate in offshore China and to achieve success together with the company.” More recently, a state-run media outlet clarified that China sought “blue economic partnerships” with ASEAN countries.
Despite the reassuring words, an uneasy calm prevails in the South China Sea. CSIS has warned, “as several claimants forge ahead with new offshore projects in 2023, oil and gas development could reemerge as a primary flashpoint in the disputes.”
Postscript. A few days after Proofpoint went public with its findings, China made a rare disclosure about a data breach. The top cybersecurity entity alleged that a U.S. intelligence agency had infiltrated the networks of Northwestern Polytechnical University in Xi’an. A group called the Office of Tailored Access Operations had deployed phishing emails to gain access to data from the aeronautics and space research programs on campus.
China’s foreign ministry urged the U.S. to “play a constructive role in defending cyber security.”