A cyber espionage campaign has been discovered apparently targeting participants in the recent Permanent Court of Arbitration case brought by the Philippines against China over Chinese claims of sovereignty in the South China Sea. The case was found against China last month. China itself did not accept the validity of the case, did not attend the arbitration, and has since rejected the ruling.
The cyber espionage campaign was discovered by F-Secure. It named it NanHaiShu, and has today published an analysis of the methodology and malware involved. NanHaiShu (南海鼠) translates to “South China Sea Rat” in English.
The malware was delivered by highly targeted emails in which individually crafted messages demonstrate that only specific organizations were targeted. These include the Philippines Court of Justice, the organizers of last November’s APEC Summit held in the Philippines (during which it was expected that the South China Sea dispute would be discussed), and a major international law firm that represents one of the parties in the dispute.
The malware delivered to the law firm was contained in an Excel macro. The message talks about “the range of salaries and/or bonuses”, and the XLS attachment filename is ‘Salary and Bonus Data.xls’. The combination of the email message and a VBA delivery mechanism suggests that considerable effort was put into researching the targets and socially engineering the attack. VBA simply will not work for targets with Excel’s default settings, suggesting that the attackers were aware that their targets specifically allow macros within their day to day work.
The malware itself is a remote access trojan (RAT) capable of downloading additional malware and exfiltrating files to the C&C server. F-Secure doesn’t know what files might have stolen from the victims, so cannot absolutely confirm the arbitration case as the primary motive. The timeline of infections, targets and notable events around the arbitration does, however, provide compelling circumstantial evidence.
The malware shows strong indications of Chinese origins, with code reused from Chinese forums. “The malware’s VBA base64 decoder function seems to be popular among Chinese programmers,” notes the report. “Searching for the variable names on the Internet leads to a handful of Chinese websites.”
But F-Secure does not attribute the attacks to the Chinese government, nor even to a specific Chinese malware group. F-Secure cyber security advisor Erka Koivunen told SecurityWeek that he cannot say for certain that the malware relates to any existing group (although some researchers are looking for similarities with the APT 17 group and the BLACKCOFFEE). He also said that attributing the attacks to the Chinese government would be a step too far; but he did say that he expects to see more of this group in the future.
Despite F-Secure’s refusal to describe this campaign as state-sponsored, there will undoubtedly be those who will make such an assumption. Since China was not present at an international arbitration case involving their own territorial claims means they would not have direct access to some of the information presented or discussed. Espionage would be one way to obtain this information.
Under such an assumption, the NanHaiShu gang become the equivalent of LEA informants — neither under the control of nor working to the instructions of the LEA, but nevertheless providing welcome information to that LEA.
One thing is certain — Chinese feelings in the South China Sea run deep. Soon after after the ruling it commenced a major wargames exercise with, according to ZeroHedge, “some 300 ships, dozens of fighter planes, and involved troops that are responsible for coastal defense radars, communications, and electronic warfare defense.”
In a separate publication, F-Secure provides information on how this and similar malware campaigns can be discovered and defeated.