China-affiliated cyber groups spy on countries with South China Sea claims

The IT systems of at least eight government and military entities with claims in the disputed South China Sea were compromised in an espionage campaign by the Unfading Sea Haze group, a threat actor aligned with China’s interests, according to a May 22 report by Bitdefender Labs, cybersecurity solutions provider. 

The report, which did not identify the countries under cyber-attacks, stated that the attacks started at least five years ago through spear phishing emails. These emails, some of which were sent as recently as May 2023, contained malicious documents that established a backdoor to targeted systems, permitting hackers to return whenever they wanted to. 

Once inside the system, cyber hackers utilized various tools to widen their access to a network and often took over administrator accounts for greater access. Additionally, hackers used various types of malwares to gather browser data such as passwords as well as to avoid scrutiny. 

The report also noted other indicators hinting that the cyber hackers were linked to China, namely, their use of various Gh0st RAT variants, a tool popular with Chinese actors and used extensively during CCP-linked spy campaigns. 

“All the malware families encountered during the investigation, although different, have some common characteristics with the Gh0stRat family,” the report declared, adding there could be “a potential network for sharing these tools within the Chinese cyber ecosystem”. 

A report by cybersecurity firm Sophos disclosed that for almost two years, Chinese nation-state hackers targeted a certain Southeast Asian government department to learn about the country’s tactics regarding the disputed South China Sea waters. 

Sophos researchers unearthed a “data exfiltration tool used as far back as December 2022” that was hitherto associated with the Chinese threat group Mustang Panda. Later, the researchers unveiled various attempts to steal data, with “the actors attempting to collect documents with file names that indicate they are of intelligence value, including military documents related to strategies in the South China Sea.”

Two of the clusters of hacker activity aligned with “actics and techniques used by the well-known Chinese nation-state group APT15 and a subgroup of APT41 known by some researchers as Earth Longzhi.”

“The different clusters appear to have been working in support of Chinese state interests by gathering military and economic intelligence related to the country’s strategies in the South China Sea,” Paul Jaramillo, director of threat hunting and threat intelligence at Sophos, remarked. 

“In this particular campaign, we believe these three clusters represent distinct groups of attacks who are working in parallel against the same target under the overarching directive of a central state authority.” 

The apparent aim of these cyber hacking activities, which Sophos researchers termed as “Crimson Palace”, was reconnaissance and the exfiltration of documents with “sensitive political, economic, and military information”.

“What we’ve seen with this campaign is the aggressive development of cyberespionage operations in the South China Sea. We have multiple threat groups, likely with unlimited resources, targeting the same high-level government organization for weeks or months at a time, and they are using advanced custom malware intertwined with publicly available tools,” Jaramillo elaborated. 

“They were, and are still, able to move throughout an organization at will, rotating their tools on a frequent basis. At least one of the activity clusters is still very much active and attempting to conduct further surveillance.” 

“Furthermore, the target network is a high-profile government organization in a Southeast Asian country known to have repeated conflict with China over territory in the South China Sea,” the Sophos report stated.   

Another report by Google-owned cybersecurity firm Mandiant underscored China’s use of stolen and leased proxies, like home office routers, globally. These networks formed a major part of Volt Typhoon, a Chinese hacking campaign that has sought to undermine major infrastructure used by the United States military. 

The Mandiant study pointed out that the use of compromised systems like small office and home office routers situated near a potential victim “brings a new facet to this issue, as the owners of this equipment may become unwitting enablers of serious spy craft”. 

The South China Sea, rich in fishing stocks, oil and gas, and also a key global trade route, is a hugely contested area with claims made by China, Vietnam, the Philippines, Malaysia, Indonesia and Taiwan.  

China claims almost the entirety of the South China Sea as its sovereign waters and rejects a 2016 international arbitration ruling by an independent arbitral tribunal established under the UN Convention on the Law of the Sea (UNCLOS), of which it is a State Party to UNCLOS. The ruling stated China has no legal basis for the expansive claims. The tribunal also ruled that China had infringed on the Philippines’ sovereign rights. China dismissed the ruling as “nothing more than a piece of waste paper”.

Photo credit: Pixabay/ dominickide

The best maritime news and insights delivered to you.

subscribe maritime fairtrade

Here's what you can expect from us:

  • Event offers and discounts
  • News & key insights of the maritime industry
  • Expert analysis and opinions on corruption and more