The South China Sea is an increasingly dangerous place to be in cyberspace. And as China is involved in territorial disputes over the area that bears its name with virtually all of its neighbours, there are no shortages of targets for its army of state-sponsored operatives.
F-Secure is the latest security vendor to confirm what most of us know already – that Chinese hackers, most likely working for the state, have been systematically stealing data from organisations with interests in the region for years now. It’s new report, NanHaiShu: RATing the South China Sea, details a new piece of information-stealing malware used in campaigns targeting government and private sector firms. Why? They were all involved, directly or indirectly, in a recent UN tribunal over ownership of a group of rocks in the South China Sea. Victims included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the tribunal
F-Secure cyber security adviser, Erka Koivunen, told me he suspects a nation state was behind the attacks, although definitive attribution is always hard.
“Admittedly the malware itself may not be the most sophisticated piece of code there is. That doesn’t however mean that the operation wasn’t sophisticated,” he said via email. “The lack of zero-days and bleeding edge alien technology may admittedly seem a bit boring, but in fact is a sign of cold calculation and professionalism on the level of execution.”
This report is the latest of a long line of similar intelligence highlighting extensive cyber espionage in the region related to Beijing’s interests in the South China Sea and the rocks, reefs and islands that dot the landscape. Late last year a ThreatConnect report revealed an alleged PLA cyber espionage campaign dating back five years and targeting the Philippines, Singapore, Thailand, Vietnam and many others in the region. US interests have also been attacked.
William Glass, threat intelligence analyst at FireEye, believes this is just the beginning, as China begins to flex its muscles in the region.
“More recently, we have seen the list of targets expand to energy companies, legal firms, and even GitHub, targeted by China’s Great Cannon in March 2015,” he told me. “Beyond simply stealing information, Beijing has found there are benefits to using cyberspace to propagandise and attempt to influence behaviour.”
He claimed that the army’s new Strategic Support Force may see disputes in the area as the perfect opportunity to test its significant capabilities, which could range from range from “typical cyber espionage to learn of plans and intentions of commercial companies to efforts designed to influence companies’ decisions to invest or operate in the South China Sea.”
“Recently, the Chinese media has singled out Australia and Japan for particularly harsh criticism following the tribunal ruling,” Glass explained.
“It’s possible that China-based groups—with or without official government backing—will target Australian and Japanese commercial interests in retaliation for perceived interference or in an attempt to force Canberra and Tokyo to more carefully consider any follow-on action.”
For starters, firms working in the energy, logistics and shipping, and political and legal advocacy sectors in the region would do well to redouble their cyber security efforts. But the truth is that any organisation that deals with China or works in an industry where Chinese companies have interests – which is virtually every organisation – should consider the threat of state-sponsored attacks from the East. Yes, it’s more likely they’ll encounter ransomware than an info-stealing RAT guided by the PLA. But the threat is there, and as UK organisations increasingly look to the Middle Kingdom in this post-Brexit world, it’s one they should all take seriously.
I seem to have chosen the wrong time to come back from Hong Kong. Just a fortnight after landing back in Blighty, the US raised the stakes between the two superpowers, and mortally offended China’s honour, by indicting five PLA soldiers on charges of hacking US firms for economic gain.
I’ve written enough about it here and here already, so I won’t go into the pros and cons of this high risk strategy again. Safe to say that Beijing already appears to be retaliating in the most effective way possible; by making things decidedly difficult for US tech firms in the Middle Kingdom. Already reports have emerged that Cisco and IBM could be in trouble.
Is a new Cold War about to begin?
Well, if it does, one company it might be worth keeping an eye on is threat intelligence firm Cyber Squared. The firm’s ThreatConnect Intelligence Research Team has an interesting and very thorough analysis of new APT-style cyber attack campaigns in the disputed South China Sea (SCS) region, as I wrote about here.
“What’s that got to do with us?” you might ask. Well, potentially quite a lot, according to Cyber Squared chief intelligence officer, Rich Barger.
“There is a risk of increased data loss for Western firms that routinely work with Vietnamese, Filipino, and other SCS region companies,” he told me. “Unit 61398/APT1 operates on the whim of the PRC, and cyber espionage has been adopted as the preeminent ‘low risk – high payoff’ medium for strategic intelligence collection.
“We typically see companies that are infrastructure related being targeted. Industries such as energy, oil & gas, mining, and transportation may find themselves directly or indirectly impacted.”
The message is loud and clear; if you have any military, economic or geopolitical stake in the SCS region, be aware that Chinese cyber operatives are increasing their activity.
“China has had a long standing national and regional interest within the South China Seas region,” explained Barger.
“It offers them a strategic economic advantage in terms of regional and global energy development and trade. From a military perspective, a strong Chinese presence within the SCS also counters the US pivot to South East Asia where China’s military modernisation, especially its navy, and regional assertiveness have come to an intersection.”
Barger argued that the various disparate groups at risk in the SCS need to start sharing information on attacks and “observing both the technical picture and the geo-political context”.
“It is important for those within these targeted industries to actively invest in threat intelligence processes as a standard business practice that supports internal information security operations,” he concluded.
“It is equally important that technical leaders effectively interpret and articulate regional threats and the context surrounding them to corporate business leaders.”
This week we saw more news emerge of the escalating tit-for-tat cyber attacks apparently being launched by actors sympathetic to the Philippines and China over a naval stand-off in the South China Sea.
Scarborough Shoal – also known as Panatag Shoal or Huangyan island – is the region long-disputed by the two countries and things got serious earlier this month after Filipino navy officials tried to arrest Chinese fisherman operating in the area but were stopped by Chinese surveillance boats.
Cue a barrage of cyber attacks on Philippine government and university web sites by apparent Chinese hackers, and then reprisals from the other side.
It’s pretty basic stuff, site defacement and DDoS attacks designed to send a clear message to the other side, and in this kind of thing China is probably a world leader.
Although it will never be revealed exactly how many patriotic hacktivists there are in the People’s Republic, what’s more interesting is their relationship with the government. In all but the most repressive states – think Iran or Syria – governments disassociate themselves from any hacking behaviour, but I learnt recently that China has done the opposite.
It has long been suspected, but China has effectively made a deal with the hacking community, a source told me, which goes thus:
- Never hack your own government or companies in your own country
- If you find anything of interest in your hacking activities which could help your country improve its status on the world stage, hand it over.
- When called upon to help the ‘cyber military’, make sure you respond
The deal is simple, the source explained, follow these rules and you can hack away with impunity. It means attacks of the sort seen this month on the Philippines can be carried out with the covert blessing of the government and the Party.
Of course the PRC’s standard response to these accusations is that it denounces all hacking activities, that it is taking steps to prevent cyber crime and that China itself is as much a victim of such attacks as western countries.
Even if tracking technologies mature to the level where the source of such attacks can be pinpointed, by operating at arm’s length, the government will always have the advantage of plausible deniability. It’s just a case of whether the international community will eventually lose patience with China and demand action, economic superpower or not.