Malware Called 'South China Sea RAT' Spied on Philippines, Other Targets

A malware  known as NanHaiShu or “South China Sea Remote Access Trojan (RAT)” in Mandarin was discovered to have gathered intelligence related to the South China Sea arbitration case from the Philippines and organizations involved in assisting the South East Asian country which won an international arbitration case against China.

Hackers believed to be from China have attacked government and private-sector organizations linked to the row over the key waterway, a Japan Times report said quoting an analysis by Finnish cybersecurity firm F-Secure.

While asserting that it had no proof of Chinese government involvement, the F-Secure analysis said that hackers have tried to extract sensitive information from the Philippines and other targets.

Notable targets included the Philippines Department of Justice, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and an unidentified major international law firm involved in last month’s South China Sea arbitration decision at The Hague which went in favour of the Philippines, the report said.

The Department of Justice is believed to have played a key role in the case and reports ahead of a November 2015 APEC event in the Philippines had said leaders attending the summit would discuss the South China Sea issue, the Japan Times report said.

F-Secure said more organizations had been targeted, but details had been withheld at their request. The omitted portions of the report, however, did not indicate that the arbitration court would itself have been targeted by this malware campaign, Erka Koivunen, a cybersecurity adviser with F-Secure, was paraphrased in The Japan Times.

“Based on the specific selection of organizations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin,” the F-Secure report said.

The first version of the malware was spotted by the firm in January 2015, just after the Permanent Court of Arbitration posted a press release about the case asking for more information from the Philippine government.

While the malware samples uncovered by F-Secure had initially been connecting to command-and-control servers hosted by a U.S. cloud-computing service, that changed on Oct. 26, 2015, when all servers pointed to a Chinese IP address. This shift coincided with reports of a U.S. Navy ship making the first in a planned series of so-called freedom of navigation operations near Chinese-controlled islets in the South China Sea.

Called a Remote Access Trojan (RAT), it is spread in spear-phishing email messages that contain the malware as a file attachment, the report said. The email message contents include, among other things, industry-specific terminology indicating they were deliberately crafted with specific targets in mind.

Delivered via email in the form of convincingly crafted decoy files, the victim is enticed to open the attachment and voluntarily turn off protections, according to Koivunen, one of the authors of the F-Secure report.

One email, for example, targeted a Philippines Department of Justice employee with an attachment claiming to contain details of “staff bonuses.”

“The malware uses no vulnerabilities to get past security controls; rather it uses social-engineering tactics to convince the targeted user to take the trojan malware inside and install it on his or her computer,” Koivunen told Japan Times.