Threat researchers have urged organizations with a stake in south-east Asia to invest in advanced cyber intelligence to counter a growing number of Chinese espionage operations against entities in the Philippines, Vietnam and elsewhere in the South China Sea (SCS).
Cyber Squared’s ThreatConnect Intelligence Research Team (TCIRT) signalled the warning in a lengthy blog post on Monday, the same day Washington took the unprecedented step of indicting five PLA operatives for alleged hacking campaigns against US targets.
It said that the disputed SCS region – which has long been a bone of contention between south-east Asian nations and China – is coming under increasing scrutiny from Beijing’s army of cyber operatives, who are under orders to gain intelligence about commercial, diplomatic, and military targets there.
TCIRT detailed one typical attack, which used a Microsoft Word document “weaponized” with an exploit for the vulnerability CVE-2012-0158 and engineered to drop the APT “Naikon”, calling out to C&C domain free.googlenow[.]in.
The document was originally authored by Hoang Thi Ha, a senior officer for geo-political and economic body the Association of Southeast Asian Nations (ASEAN), and related to talking points for a special ASEAN meeting with Chinese ministers in Beijing.
ThreatConnect continued:
“According to document properties, the talking points document was created on the 26th of August, meaning the attackers likely maintained persistent access to the ASEAN networks prior to that date, then accessed a computer or storage medium that housed the draft document, exfiltrated the legitimate document, weaponized it with an exploit and payload implant, then finally conducted secondary targeting operations, all within the 48-hour window leading up to the meeting on 28 August.”
From August 2013 to May 2014, TCIRT discovered numerous IP addresses connecting to the same domain used in that attack, with the vast majority in the Chinese city of Kunming and Hong Kong.
“The attackers utilized this dynamic infrastructure as a means of ‘digital mobility’ to circumvent network defenses and frustrate the analytic and investigative processes,” it said.
TCIRT also found the domain in question, free.googlenow[.]in, was registered by a certain "ivyfatima@yahoo.com", the same email address used to register other malicious Naikon APT domains.
That specific address was likely created to spoof that of an ASEAN Department of Foreign Affairs assistant – Ivy Fatima Ferrer – who made the mistake of using her personal Yahoo account for official business.
Other targets for the alleged Chinese hackers discovered by TCIRT included the Philippine military, with classified documents often being exfiltrated as part of intelligence gathering, and then repurposed as malicious lures in follow-up campaigns.
“Western and regional military and diplomatic organizations should be wary of sharing classified information with their Filipino counterparts until they can ensure that classified communications and handling process are indeed safeguarded within these sensitive environments,” TCIRT warned.
CyberSquared reported several Vietnamese entities had been breached in similar APT-style attacks, including the Ministry of Natural Resources; state-run telecoms giant the Vietnam Posts and Telecommunications Group (VNTP); Vietnam’s second largest oil producer, PetroVietnam; and the Vietnam News Agency.
As with all attacks of this kind attribution all the way back to Beijing is virtually impossible, but TCIRT managed to link quite specific “notable” events in the SCS area over the same period to various campaigns and thus infer motives.
These include possible long-term attempts by China to secure more of the region for natural gas and other energy sources; and to monitor other countries' response to its controversial “air defense identification zone” (ADIZ), created last November.
Another motive is to gather intelligence on SCS countries like Vietnam and the Philippines which support the US pivot to Asia and have tried to arbitrate regional disputes with ASEAN and the UN, rather than bilaterally with China, as is Beijing’s insistence.
In closing, TCIRT warned that Chinese cyber espionage would continue to be the main “low risk, high pay-off” tactic of choice for Beijing. It added that international bodies, nations and individuals should expect to see sophisticated targeted attacks continue to increase as SCS tensions increase – with western commercial interests far from immune.
“Industries such as energy, mining, and transportation may find themselves directly or indirectly impacted as regional tensions ebb and flow,” TCIRT said. “It is important for those within these sectors to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations.”