Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cyber Espionage Targets Interests in South China Sea

A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea. The case was found against China last month. China itself did not accept the validity of the case, did not attend the arbitration, and has since rejected the ruling.

A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea. The case was found against China last month. China itself did not accept the validity of the case, did not attend the arbitration, and has since rejected the ruling.

The cyber espionage campaign was discovered by F-Secure. It named it NanHaiShu, and has today published an analysis  of the methodology and malware involved. NanHaiShu (南海鼠) translates to “South China Sea Rat” in English.

The malware was delivered by highly targeted emails in which individually crafted messages demonstrate that only specific organizations were targeted. These include the Philippines Court of Justice, the organizers of last November’s APEC Summit held in the Philippines (during which it was expected that the South China Sea dispute would be discussed), and a major international law firm that represents one of the parties in the dispute.

The malware delivered to the law firm was contained in an Excel macro. The message talks about “the range of salaries and/or bonuses”, and the XLS attachment filename is ‘Salary and Bonus Data.xls’. The combination of the email message and a VBA delivery mechanism suggests that considerable effort was put into researching the targets and socially engineering the attack. VBA simply will not work for targets with Excel’s default settings, suggesting that the attackers were aware that their targets specifically allow macros within their day to day work.

The malware itself is a remote access trojan (RAT) capable of downloading additional malware and exfiltrating files to the C&C server. F-Secure doesn’t know what files might have stolen from the victims, so cannot absolutely confirm the arbitration case as the primary motive. The timeline of infections, targets and notable events around the arbitration does, however, provide compelling circumstantial evidence.

The malware shows strong indications of Chinese origins, with code reused from Chinese forums. “The malware’s VBA base64 decoder function seems to be popular among Chinese programmers,” notes the report. “Searching for the variable names on the Internet leads to a handful of Chinese websites.”

But F-Secure does not attribute the attacks to the Chinese government, nor even to a specific Chinese malware group. F-Secure cyber security advisor Erka Koivunen told SecurityWeek that he cannot say for certain that the malware relates to any existing group (although some researchers are looking for similarities with the APT 17 group and the BLACKCOFFEE). He also said that attributing the attacks to the Chinese government would be a step too far; but he did say that he expects to see more of this group in the future.

Despite F-Secure’s refusal to describe this campaign as state-sponsored, there will undoubtedly be those who will make such an assumption. Since China was not present at an international arbitration case involving their own territorial claims means they would not have direct access to some of the information presented or discussed. Espionage would be one way to obtain this information.

Advertisement. Scroll to continue reading.

Under such an assumption, the NanHaiShu gang become the equivalent of LEA informants — neither under the control of nor working to the instructions of the LEA, but nevertheless providing welcome information to that LEA.

One thing is certain — Chinese feelings in the South China Sea run deep. Soon after after the ruling it commenced a major wargames exercise with, according to ZeroHedge, “some 300 ships, dozens of fighter planes, and involved troops that are responsible for coastal defense radars, communications, and electronic warfare defense.”

In a separate publication, F-Secure provides information on how this and similar malware campaigns can be discovered and defeated.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.