Hackers have launched a malware spy campaign aimed at accessing information from high-profile targets involved in the South China Sea dispute. The cyberespionage campaign is believed to be the work of China-based state-sponsored hackers and has already targeted the Philippines Department of Justice (DOJ), organisers of the Apec (Asia-Pacific Economic Cooperation) summit and a reputed international law firm.
According to cybersecurity firm F-Secure, the campaign designated as NanHaiShu, has been active for a while now and uses spearphishing emails to distribute malicious attachments containing a RAT (Remote Access Trojan) malware. The emails were also found to be specifically drafted, with "industry-specific terms", which indicate that the malware campaign was designed to specifically target certain individuals and organisations.
"We believe these entities were targeted for their involvement in a dispute centring on the South China Sea. Based on the specific selection of organisations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin," F-Secure said in its report.
"Whenever there are political disputes and big stakes on political and economic matters, I would always assume that espionage by any means is going to take place," F-Secure cybersecurity adviser Erka Koivunen told Motherboard. However, given the challenging nature of attributing cyberattacks to specific parties, the firm has stressed that it cannot say conclusively that the Chinese government was involved in the attacks.
"We are not in a position to say it was government per se that has ordered this campaign, and even if it was we would not be in a position to say which organization within China's government that would be," Koivunen added.
Since NanHaiShu is a RAT malware, it is capable of sending an infected machine's system information to C&C (command and control) servers. Hackers can also use the malware to download any file from the infected systems.
"The Excel sheets were named in a fashion that invites the recipient to open up the document and ignore the displayed macro security warnings. Once the macros have been disabled, the malware drops an embedded Jscript file on the victim's machine, causing the computer to be infected. After that, it can be remotely commanded by the attackers," said Koivunen, the ZNet reported.
The first version of the malware spotted by F-Secure researchers targeted the Philippines DOJ and came from January 2015, a mere month after the UN Permanent Court for Arbitration requested the Philippines government to provide further information on the dispute.
The malware also targeted other major organisations as part of the active cyberespionage campaign. However, given the sensitive nature of the information connected with the issue, F-Secure has refrained from mentioning them in its report.