Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cyber Espionage Targets Interests in South China Sea

A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea. The case was found against China last month. China itself did not accept the validity of the case, did not attend the arbitration, and has since rejected the ruling.

A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea. The case was found against China last month. China itself did not accept the validity of the case, did not attend the arbitration, and has since rejected the ruling.

The cyber espionage campaign was discovered by F-Secure. It named it NanHaiShu, and has today published an analysis  of the methodology and malware involved. NanHaiShu (南海鼠) translates to “South China Sea Rat” in English.

The malware was delivered by highly targeted emails in which individually crafted messages demonstrate that only specific organizations were targeted. These include the Philippines Court of Justice, the organizers of last November’s APEC Summit held in the Philippines (during which it was expected that the South China Sea dispute would be discussed), and a major international law firm that represents one of the parties in the dispute.

The malware delivered to the law firm was contained in an Excel macro. The message talks about “the range of salaries and/or bonuses”, and the XLS attachment filename is ‘Salary and Bonus Data.xls’. The combination of the email message and a VBA delivery mechanism suggests that considerable effort was put into researching the targets and socially engineering the attack. VBA simply will not work for targets with Excel’s default settings, suggesting that the attackers were aware that their targets specifically allow macros within their day to day work.

The malware itself is a remote access trojan (RAT) capable of downloading additional malware and exfiltrating files to the C&C server. F-Secure doesn’t know what files might have stolen from the victims, so cannot absolutely confirm the arbitration case as the primary motive. The timeline of infections, targets and notable events around the arbitration does, however, provide compelling circumstantial evidence.

The malware shows strong indications of Chinese origins, with code reused from Chinese forums. “The malware’s VBA base64 decoder function seems to be popular among Chinese programmers,” notes the report. “Searching for the variable names on the Internet leads to a handful of Chinese websites.”

But F-Secure does not attribute the attacks to the Chinese government, nor even to a specific Chinese malware group. F-Secure cyber security advisor Erka Koivunen told SecurityWeek that he cannot say for certain that the malware relates to any existing group (although some researchers are looking for similarities with the APT 17 group and the BLACKCOFFEE). He also said that attributing the attacks to the Chinese government would be a step too far; but he did say that he expects to see more of this group in the future.

Despite F-Secure’s refusal to describe this campaign as state-sponsored, there will undoubtedly be those who will make such an assumption. Since China was not present at an international arbitration case involving their own territorial claims means they would not have direct access to some of the information presented or discussed. Espionage would be one way to obtain this information.

Under such an assumption, the NanHaiShu gang become the equivalent of LEA informants — neither under the control of nor working to the instructions of the LEA, but nevertheless providing welcome information to that LEA.

One thing is certain — Chinese feelings in the South China Sea run deep. Soon after after the ruling it commenced a major wargames exercise with, according to ZeroHedge, “some 300 ships, dozens of fighter planes, and involved troops that are responsible for coastal defense radars, communications, and electronic warfare defense.”

In a separate publication, F-Secure provides information on how this and similar malware campaigns can be discovered and defeated.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.