The ongoing dispute over the South China Sea has apparently spilled over into cyberspace recently, as hackers believed to be from China have attacked government and private-sector organizations linked to the row over the key waterway, a new analysis has found.
Using malicious software, hackers have tried to swipe sensitive information from the Philippines and other targets, according to a report released last week by Finnish cybersecurity firm F-Secure.
Notable targets included the Philippines Department of Justice, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and an unidentified major international law firm involved in last month’s landmark South China Sea arbitration decision at The Hague, the report said.
The Department of Justice played a key role in the case and reports ahead of a November 2015 APEC event in the Philippines had said leaders attending the summit would discuss the South China Sea issue.
F-Secure said more organizations had been targeted, but details had been withheld at their request. The omitted portions of the report, however, did not indicate that the arbitration court would itself have been targeted by this malware campaign, Erka Koivunen, a cybersecurity adviser with F-Secure, told The Japan Times.
Manila won a resounding legal victory in the case against China when the international tribunal rejected Beijing’s historic claims to much of the strategically important waters, through which $5 trillion in annual global trade passes.
“Based on the specific selection of organizations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin,” the authors of the report wrote.
Koivunen, however, said that his firm could not directly attribute the cyberattack to the Chinese government or individual units within it.
“We have been careful to emphasize that espionage of this sort has become rather commonplace nowadays,” he said, adding that it was possible other means of espionage — human intelligence, signals intelligence and other malware campaigns — have been used in tandem with NanHaiShu.
“We just do not have evidence of them,” Koivunen added. “At least not yet.”
Bryce Boland, chief technology officer for Asia Pacific at cybersecurity firm FireEye, said that while attributing attacks is notoriously difficult, China’s top cybergroups are capable of penetrating most organizations with relative ease.
“One advantage China has in the Pacific is that many of its neighbors tend to have less sophisticated defenses, which allows groups with moderate skills to be quite successful,” Boland said.
F-Secure’s analysis indicates that multiple samples of the malware, known as NanHaiShu — or “South China Sea rat” in Mandarin — were discovered over the course of the investigation. Of the samples collected, a particular subset was tasked with gathering intelligence related to the South China Sea arbitration case, it said.
The first version of the malware was spotted by the firm in January 2015, just after the Permanent Court of Arbitration posted a press release about the case asking for more information from the Philippine government.
While the malware samples uncovered by F-Secure had initially been connecting to command-and-control servers hosted by a U.S. cloud-computing service, that changed on Oct. 26, 2015, when all servers pointed to a Chinese IP address. This shift coincided with reports of a U.S. Navy ship making the first in a planned series of so-called freedom of navigation operations near Chinese-controlled islets in the South China Sea.
According to the analysis, distribution of the malware remained active as of March 2016.
Koivunen, who called the malware a “remotely commandeered data theft program” said “it can be used to search for and exfiltrate any type of file that the victim has access to.”
Called a Remote Access Trojan (RAT), it is spread in spear-phishing email messages that contain the malware as a file attachment, the report said. The email message contents include, among other things, industry-specific terminology indicating they were deliberately crafted with specific targets in mind.
Delivered via email in the form of convincingly crafted decoy files, the victim is enticed to open the attachment and voluntarily turn off protections, according to Koivunen.
One email, for example, targeted a Philippines Department of Justice employee with an attachment claiming to contain details of “staff bonuses.”
“The malware uses no vulnerabilities to get past security controls; rather it uses social-engineering tactics to convince the targeted user to take the trojan malware inside and install it on his or her computer,” Koivunen said.
“The social-engineering aspect is believed to be particularly strong in this campaign. The users had to be confident that the message they received was legitimate as they had to dismiss explicit Microsoft Office security warnings before the infection could take place,” he added.
Experts say spear-phishing is extremely common and responsible for the vast majority of publicized breaches.
“It’s a common misconception that attackers break into organizations, when really they trick people into letting them in by exploiting human trust,” said FireEye’s Boland.
“We’re not talking about Nigerian scams, but targeted communications using relevant — maybe even legitimate — information as a lure,” he added.