HANOI/HO CHI MINH CITY – The spyware used in cyberattacks on Vietnam’s major airports and national carrier last month is now also suspected of having bombarded many more official sites amid tensions with China over territory in the South China Sea.
Malicious code disguised as anti-virus software has been found lurking in everything from government offices to banks, major companies and universities, and was the same as that used in “politically colored” attacks on two of the country’s biggest airports and Vietnam Airlines, said Ngo Tuan Anh, vice chairman of Hanoi-based network security company Bkav Corp.
On July 29, the flight screens at the airports displayed messages critical of Vietnam’s claims to the South China Sea, according to the VnExpress news website. Vietnam and the Philippines have been the most vocal in criticizing China for its increased assertiveness over the area.
While more evidence is needed to pinpoint the likely origin, the attacks were clearly political in nature, Anh said. The spyware aimed at Vietnam was from one group or several actors working together that has made assaults on institutions in the country since 2012, he added.
With tensions running high in the South China Sea as China increases its military presence in the area, having reclaimed land on shoals and reefs, claimant nations are seeking diplomatic and popular support for their stances. The Vietnam incident highlights the vulnerability of some smaller Southeast Asian states to attacks on their government infrastructure.
“The attack on the airport and airline appears to be the work of cyberactivists who are using it to promote a political agenda,” said Wias Issa, senior director for the Asia-Pacific region at the security company FireEye, in an e-mail.
The website of the Permanent Court of Arbitration in The Hague went offline in October during a hearing of a Philippine challenge to China’s claim to more than 80 percent of the South China Sea. The court ruled last month in favor of the Philippines, prompting an angry response from Beijing, which did not take part in the arbitration proceedings and says it doesn’t recognize the verdict.
Vietnam’s minister of information and communications, Truong Minh Tuan, said the government is reviewing Chinese technology and devices after the July cyberattack, the Tuoi Tre newspaper reported. Major Vietnamese telecom operators use Chinese technology, raising the threats of more data breaches, he said.
The Chinese hacker group 1937cn initially claimed responsibility for the incident, which included the leak of Vietnam Airlines’ database of frequent flyers, before denying involvement, Tuan said.
1937cn team founder Liu Yongfa was quoted in China’s state-run Global Times as saying he neither admitted nor denied the attacks. “1937cn is a nongovernment organization,” Liu said. “We do not want to be a victim of the politics. At a time when the definition of a cybercrime remains vague in China, our team will start a cyberwar to defend the country and the people when their sovereignty and rights are violated by foreign countries.”
Hackers are increasingly using the tactic of “information theft and then information dump” to embarrass victims, said Tobias Feakin, director of the national security program at the Australian Strategic Policy Institute in Canberra.
“1937cn is clearly a nationalist hacker group with distinct sympathy for China’s nationalistic agenda,” said Feakin. “Can you say it is the work of the Chinese government? No. But this is one of a growing number of hacker organizations sympathetic to the views of certain parts of the Chinese government and the People’s Liberation Army.”
Territorial tensions have picked up between Vietnam and China since China dragged an exploration oil rig into contested waters in mid-2014. The move led to deadly anti-China protests in Vietnam and clashes at sea between coast guard boats. There was a spike in cyberattacks on Vietnamese targets at the time, according to the cybersecurity company CrowdStrike.
Vietnam has seen a rise in hacks of government sites, with more than 3,000 defacement attacks and over 5,000 malware attacks in the first half of 2015, the latest period for which figures are available, according to the Ministry of Information and Communications.
Hackers were found to have used Internet protocol addresses based in countries including China, the U.S. and Russia, it said in an emailed response to questions at the time.
“The use of spyware to steal data and the trend of launching politically colored hacks are increasing and becoming more apparent,” Anh said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.