South China Sea dispute escalates into all-out cyber war

F-Secure points finger at China over Trojan targeting Philippines' government

Malware that appears to be controlled from China targeting countries involved in the dispute over South China Sea national boundaries has been uncovered by security software vendor F-Secure.

The discovery of the malware follows a ruling by the Permanent Court of Arbitration in The Hague over China's territorial claims to most of the South China Sea in a case brought by the government of the Philippines.

The international tribunal ruled against China's claims, but China's foreign ministry rejected its judgement, declaring that the decision was "null and void and has no binding force".

The malware, a remote-access Trojan, enables its controllers to exfiltrate data from infected machines. F-Secure claims that it was widely deployed in the run-up to the 12 July ruling. The Philippines seems to have been targeted in particular by the campaign, while the malware, dubbed NanHaiShu by F-Secure appeared to make use of code and infrastructure associated with China.

Specifically, the targets included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and an international law firm representing one of the involved parties.

"This APT (advanced persistent threat) malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea," said Erka Koivunen, cyber security adviser at F-Secure.

He continued: "Not only are the targeted organisations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings."

According to F-Secure's research, the company has picked up samples of NanHaiShu in the wild for a couple of years. Propagated via targeted spear-phishing attacks, the malware is included as an attachment rather than taking advantage of security flaws in operating systems and Adobe software to implant it more surreptitiously on compromised systems.

"The attached file contains a VBA macro that executes an embedded JScript file. It is likely that the threat actor knew the targets use VBA macros in their business environment, since the attack only works if the default security setting in Microsoft Office is modified to allow macro execution," claims the F-Secure report.

"Once installed on a machine in the target network, NanHaiShu sends information from the infected machine to a remote command and control server," it continues.

In addition to the geo-political link, there are a number of other pointers that indicate that the Chinese government is behind it. The malware's Visual Basic for Applications (VBA) decoder is particularly popular among programmers in China and the variables initialization used by the VBA malware script appears to be a forked version of the JavaScript base64 decoder.

This latter code has been publicly available in a blog post from the Chinese Software Developer Network website since early 2005.

The command-and-control structure also points to China, shifting from US-hosted IP addresses to China in October 2015. "Our technical analysis indicates a notable orientation towards code and infrastructure associated with developers in mainland China.

"In addition, we also consider it significant that the selection of organisations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government," claimed F-Secure.

The dispute in the South China Sea has been simmering for some time, but was sent to the Court of Arbitration in December 2014. China claims almost all of the South China Sea based on historic precedent, but its claims are rejected by other nations that border it.

In recent years, the Chinese government has claimed various islands in the South China Sea and built artificial islands to, literally, cement its claims. However, the Court ruled that these claims had no merit in well-established Maritime law.