Chinese malware spying on Philippines – security firm

MANILA, Philippines - Malware traced by a security firm to China has been discovered to have spied on the Philippine government and other parties related to the territorial dispute in the West Philippine Sea.

In a report released last week, Finland-based cyber security firm F-Secure identified the malware as NanHaiShu (translated as South China Sea rat), a Remote Access Trojan that can access information from infected computers to its command server.

“The threat actors behind this malware target government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea,” said F-Secure in a statement.

“Based on our observations, the timings of the attacks indicated political motivation, as they occurred either within a month following notable news reports related to the dispute, or within a month leading up to publicly known political events featuring the said issue,” it added.

On its white paper about the malware, F-Secure said NanHaiShu has been discovered in the wild a couple of year ago, but appeared to have been used to target specific websites such as the Philippine Department of Justice (DOJ), the organizers of the 2015 Asia Pacific Economic Cooperation held in Manila and an unidentified international law firm involved in the Philippine case against China.

“The common denominator among the targets selected is that they have some relation to the territorial dispute revolving around the South China Sea,” said the cyber security firm.

Its investigation on the malware started in 2013 when DOJ personnel received an e-mail containing a malware-infected file named “DOJ Staff bonus January 13, 2015.xls.”

It was sent to target DOJ employees after the third press release of the Permanent Court of Arbitration on the case filed against China.

Attacks on the international law firm representing the Philippines was also recorded, including an e-mail with a file targeting lawyers with a file name “Salary and Bonus Data.xls.”

“Our technical analysis indicates a notable orientation towards code and infrastructure associated with developers in Mainland China,” said F-Secure.

“We also consider it significant that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government. Based on these points, we believe that the threat actor is of Chinese origin,” it added.

The attacker can download any file from infected machines. “The downloaded files or scripts may then be used for exfiltration of data that is likely to be highly sensitive, given the profile of its targets,” it added.

Cyber attacks

Earlier, several Philippine government websites had supposedly been subjected to various forms of cyber attacks following the release of the ruling on the arbitration case filed by Philippines against China on July 12.

The STAR learned that at least 68 websites had been subjected to attacks, which included attempts of hacking and defacement, slowdowns and distributed denial of service attacks.

Among those that were at the end of the attacks include websites of agencies such as the Department of National Defense, the Philippine Coast Guard, Department of Foreign Affairs, Department of Health, the Presidential Management Staff and the gov.ph domain registry website.

In July 2015, another cyber-security company reported that the Permanent Court of Arbitration website was infected with a malware by “someone from China.”

Citing information from ThreatConnect Inc., Bloomberg Business reported that the attack happened amidst of the week-long hearing on the jurisdiction of the arbitration case filed by Manila against Beijing over the territorial dispute in the West Philippine Sea.