FYI.

This story is over 5 years old.

Tech

​Chinese Hackers Thought to Target Philippines Over South China Sea Dispute

Security company F-Secure says malware that targeted the Philippines government and other organisations is linked to disputes over the South China Sea.
Map showing the South China Sea and surrounding countries. Image: Shutterstock

Hackers believed to come from China have targeted high-profile organizations involved in the controversial dispute between China and the Philippines over control of the South China Sea, using malware designed to steal sensitive information from the Philippines government and other targets.

According to new research published by Finnish security firm F-Secure, hackers based in China targeted employees at the Philippines Department of Justice, as well as the organisers of the Asia-Pacific Economic Cooperation (APEC) summit, which both US president Barack Obama and Chinese premier Xi Jinping attended, and employees at a major international law firm which was representing one of the parties involved.

Advertisement

More organizations were targeted during the campaign but have not been named in the report due to the sensitive nature of the material associated with them, according to Erka Koivunen, cybersecurity advisor at F-Secure, who spoke to Motherboard.

"Whenever there are political disputes and big stakes on political and economic matters, I would always assume that espionage by any means is going to take place"

Having analyzed various samples of the malware, the researchers concluded that, based on the code and infrastructure utilized, the malware originated in China—though it has stopped short of pointing the finger directly at the Chinese government.

"We are not in a position to say it was government per se that has ordered this campaign, and even if it was we would not be in a position to say which organization within China's government that would be," Koivunen said.

Given how difficult attribution is in cyberattacks, this is unsurprising, though the company did say it considers "it significant that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government."

The South China Sea is a hotly disputed territory where China claims sovereignty over vast swathes of the islands and waters within the zone—claims which are disputed by not only the Philippines but also Malaysia, Vietnam, Brunei, and Taiwan. Others, including the US, also have vested interests in keeping the waters open as the area hosts one third of the world's shipping routes. China's plans for the region include the development of a deep sea "space station" almost 10,000 feet under the disputed waters.

Advertisement

The Permanent Court of Arbitration in The Hague last month ruled in favour of the Philippines, saying China has "no historic rights" to the territory. China has rejected the ruling.

While there are multiple parties involved in the dispute, the hacking campaign has only targeted organizations related to the dispute between China and the Philippines — which could have something to do with the fact that the Philippines was the only country which took the dispute to international arbitration.

The first version of the malware listed by F-Secure comes from January 2015 and targets the Philippines' Department of Justice, a month after the Permanent Court of Arbitration issued a request for further information from the Philippines government regarding the dispute.

At the time, the malware was connecting to command and control servers hosted by a cloud computing service in the US, but that changed in October 2015 when all servers pointed to a Chinese IP address. This change coincided with news reports of US ship movements in the South China Sea.

Koivunen describes the software, dubbed NanHaiShu, as "pretty generic remotely administrable malware," which allowed the attackers to exfiltrate files on the infected computers, sending them to command and control (C&C) servers.

The skill came in the social engineering aspect of the attacks, which saw the attackers write emails targeting specific employees within the organizations. "The attackers were able to craft pretty convincing decoy documents and use a lingo specific to the type of business the targeted individual was engaged in," Koivunen said.

One example of this was an email which targeted an employee within the Philippines Department of Justice with an attachment claiming to feature details of staff bonuses.

It is unsurprising that actors in this dispute are taking such steps to gain an advantage in talks over control of the area. The South China Sea is believed to hold an estimated 11 billion barrels of oil and 190 trillion cubic feet of natural gas while approximately $5.3 trillion of total annual trade passes through it.

"Typically, whenever there are political disputes and big stakes on political and economic matters, I would always assume that espionage by any means is going to take place — and cyber espionage is known to be cost effective and reasonably difficult to attribute," Koivunen said.