How hackers used this Trojan malware to spy on a territorial dispute

F-Secure researchers say parties involved in the South China Sea arbitration case were infected with the data-stealing NanHaiShu Trojan.
Written by Danny Palmer, Senior Writer

Cyber warfare appears to be the latest tool deployed in the territorial dispute over the South China Sea

Image: iStock

Hackers have used targeted malware to steal data from some of the governments and private sector organisations involved in the dispute over territory and sovereignty in the South China Sea.

Cybersecurity company F-Secure Labs uncovered the malware, dubbed NanHaiShu by researchers, which it said targeted the Philippines Department of Justice, a major international law firm involved in the South China Sea case, and the organisers of November 2015's Philippines-based Asia-Pacific Economic Cooperation (APEC) Summit.

Erka Koivunen, cyber security advisor at F-Secure, said the NanHaiShu campaign is particularly sophisticated in nature.

"This isn't an ordinary, run-of-the-mill opportunist piece of malware, but something that somebody has put some thought into and effort into, running a campaign with a selected group of organisations and individuals that are being targeted."

NanHaiShu is a remote access Trojan which is able to send any information from an infected machine to a remote command and control server with a Chinese IP address. All the machines targeted by the malware are within organisations that hold data on topics considered to be of strategic national interest to the Chinese government.

F-Secure suspects that the malware was being used to gain better visibility of the legal proceedings around the South China Sea arbitration.

"The finger points to the government of China, which would benefit from having a malware campaign against these targets," Koivunen claimed. China has consistently denied hacking other nations, and instead accuses others of launching espionage and hacking attacks against it.

Given the data targeted for extraction by NanHaiShu is so sensitive and stored within organisations that, in theory, should be highly secure, how were hackers able to break into the networks, steal information, and remain undetected by victims?

The answer is the perpetrators were using very carefully-prepared spear-phishing emails targeting people connected to the case, then using infected Excel spreadsheets to drop NanHaiShu into the system.

"The Excel sheets were named in a fashion that invites the recipient to open up the document and ignore the displayed macro security warnings. Once the macros have been disabled, the malware drops an embedded Jscript file on the victim's machine, causing the computer to be infected. After that, it can be remotely commanded by the attackers," said Koivunen.

The phishing emails were carefully crafted to ensure that precisely chosen targets would overrule warnings not to open the file.

"The campaign is supported by previously-gathered intelligence on what these people are interested in and they're using timely topics, lingo specific to the profession, and were confident the recipients are in a position to disable macro warnings on Microsoft Office products, which isn't something which you can typically assume," says Koivunen.

"You'd need to have knowledge that this is the case, otherwise it's an expensive campaign with no yield," he added, implying that the NanHaiShu campaign is one that's well resourced.

While the emails were designed in such a way to ensure that the victims were mistakenly confident that the messages were from an authentic source, they still needed to override macro warnings from Microsoft Office in order to access the NanHaiShu-infected files.

Therefore, if there's a lesson to be learned from this case, it's that macro security settings shouldn't be taken lightly -- they're likely protecting your system from a malicious intrusion. The latest version of Microsoft Office already offers new tactical features to protect against these sorts of attacks.

Full details on the malware are outlined in F-Secure's NanHaiShu: RATing the South China Sea report.


Editorial standards