Security researchers have uncovered yet another targeted attack campaign aimed at Chinese detractors in the South China Sea, this time seemingly linked to the recent international tribunal on territorial rights.
F-Secure has named the malicious program at its heart NanHaiShu – a Remote Access Trojan designed to exfiltrate sensitive data from its targets.
The malware has been active for at least two years and arrives as an attachment in a classic spearphishing email containing socially engineered text to trick the recipient into opening it.
Interestingly it contains a VBA macro which executes embedded Jscript. This would indicate that the threat actors behind it know the recipient organization uses VBA macros as standard – as enabling them requires the user to change the default settings in Office.
Multiple NanHaiShu samples were collected but it’s one particular strain which interested F-Secure, involving the gathering of intelligence related to a tribunal on territorial rights in the South China Sea – most of which the Middle Kingdom claims as its own.
That tribunal recently ruled in favor of the Philippines, claiming China had no historic ties to the waters and that it has breached the sovereignty of the south-east Asian nation in its attempts to seize reefs, rocks and islands in the area.
Key targets in the cyber campaign have been the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit – held in the Philippines in the run up to the ruling – and an international law firm representing one of the involved parties.
Whilst steering clear of naming Beijing in the report, F-Secure claimed those behind the attacks were of Chinese origin.
It explained:
“Our technical analysis indicates a notable orientation towards code and infrastructure associated with developers in mainland China. In addition, we also consider it significant that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government. Based on these points, we believe that the threat actor is of Chinese origin.”
Interestingly, the C&C servers originally resolved to IP addresses hosted by US cloud computing providers, but then they suddenly shifted to one single IP address hosted in China, following news on 26 October of US naval movements in the South China Sea.
However, there’s no evidence suggesting why this might have happened, F-Secure cybersecurity advisor, Erka Koivunen, told Infosecurity.
“We do not know how big a success this operation was but we have anecdotal evidence that they were able to breach some of their targets and obtain material out,” he added. "The lack of signs of opportunism spells operational sophistication. One doesn't launch a campaign like this without careful groundwork and high expectation of success."