There aren’t many territorial areas around the world more disputed than the South China Sea. And that’s because China claims virtually all of it, much to the chagrin of neighbours Malaysia, Vietnam, the Philippines and others. Now, a newly discovered malware campaign appears to show how Chinese hackers launched info-stealing attacks at several parties involved in an international tribunal on territorial rights in the area. The tribunal eventually ruled in favour of the Philippines over China, but this isn’t the first and it won’t be the last such incident.
It’s shown us once again that if you get close to the Middle Kingdom – virtually or physically – you should expect to be on the receiving end of some seriously unwanted attention in cyberspace.
The NanHaiShu campaign
The report in question comes from Helsinki-based F-Secure. It focuses on a new Remote Access Trojan (RAT) dubbed NanHaiShu and used to infect, among others, the Philippines Department of Justice, organisers of the Asia-Pacific Economic Cooperation (APEC) Summit, and an international law firm representing one of the parties involved in the tribunal.
The malware itself is “not the most sophisticated piece of code there is”, the vendor’s cybersecurity advisor, Erka Koivunen, told me by email. But the operation to get it onto the systems of its highly selected targets most certainly was. Like many such attacks it arrived in the form of a convincing but malicious attachment. To get the recipient to open such is not easy, especially if they’re well trained to spot dubious looking and unsolicited mail.
“The phishing messages were not randomly spread out but rather were highly targeted and tailor-made for each recipient to create enough motivation – topics were relevant, the use of professional lingo was convincing – to go through the trouble of opening the mail and executing the malicious content,” Koivunen explained.
“The attackers also appeared to be very confident that the users would (a) receive the documents, (b) be able to bypass the macro security warnings in Microsoft Office, and (c) that the malicious payload would be able to launch, persist and communicate once on the victim’s machine.”
This all smacks of the kind of “cold calculation and professionalism”, careful planning and a “good level of prior intelligence” one would associate with a nation state. Granted, some sophisticated cybercrime gangs do similar, but the code, infrastructure and targets of this campaign led F-Secure to attribute this to Chinese actors.
Same old story
This has happened before, of course. In autumn 2015 ThreatConnect claimed in a report that PLA Unit 78020 had been involved in a five-year espionage campaign with targets including the Philippines, Singapore, Thailand and Vietnam and many others in the region. And more than a year before that, we reported new intelligence confirming likely China-based operatives had also targeted US installations and interests in the region.
FireEye threat intelligence analyst, William Glass, told me that the list of targets included in such campaigns is growing all the time, while their aims have also expanded, from mere intelligence-gathering to “influencing behaviour”.
“Organisations involved in energy exploration and extraction, logistics and shipping, or political and legal advocacy should be on guard for targeting by Chinese groups as we wait to see how China will respond to the international rebuke of its territorial claims,” he warned.
“It’s also possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
It’s not just in geopolitical and territorial matters that China wants to know what’s going on. Reports in the past have suggested that China earmarks huge sums each year not only on the acquisition of IP and trade secrets from foreign firms but also on the reverse engineering and “tech transfer” to its own producers. That means if your business operates in an industry or produces goods/services China wants to get its hands on, then you’re a target. Or, indeed, if your firm operates in the supply chain of such a company.
The US and China may have signed a deal last year agreeing to no more economic espionage. But only CISOs with an insatiable risk appetite would take Beijing at its word.
PREVIOUS ARTICLE«Losing CIOs to startups could be costly