F-Secure links advanced malware threat to South China Sea cyber attacks

F-Secure links advanced malware threat to South China Sea cyber attacks

The use of the Remote Access Trojan coincides with events leading to the recent ruling in the Philippines vs. China case.

F-Secure Labs has uncovered a strain of malware that appears to be targeting parties involved in the recently decided Philippines vs. China case regarding the two countries’ South China Sea dispute. The malware, dubbed NanHaiShu by F-Secure researchers, is a Remote Access Trojan that allows attackers to exfiltrate data from infected machines. The malware and its use leading up to the 12th July case ruling are detailed in a new F-Secure report, NanHaiShu: RATing the South China Sea.

Erka Koivunen, cyber security advisor at F-Secure says:

“This APT (advanced persistent threat) malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea. Not only are the targeted organisations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings.”

Targeted organisations identified in the report include the Department of Justice of the Philippines, which has been involved in the case filed by the Philippines against China; the organisers of Asia-Pacific Economic Cooperation (APEC) Summit, which was held in the Philippines in November 2015; and a major international law firm.

NanHaiShu is spread via carefully crafted spear phishing emails that contain industry-specific terms relevant to each of the targeted organisations, indicating the emails were deliberately designed with the exact targets in mind. The email’s attached file contains a malicious macro that executes an embedded JScript file. Once installed on a machine, NanHaiShu sends information from the infected machine to a remote server, and is able to download any file the attacker wishes.

The technical analysis exposed the malware’s notable orientation towards code and infrastructure associated with developers in mainland China. Owing to that, and to the fact that the selection of organisations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government, F-Secure researchers suspect the malware to be of Chinese origin.

Koivunen says:

“If in fact our researchers’ suspicions are correct, it could be that the Chinese were using cyber espionage to gain better visibility into the legal proceedings.”

[su_button url=”https://www.f-secure.com/en_GB/welcome” target=”blank” style=”flat” background=”#df2027″ color=”#ffffff” size=”10″ radius=”0″ icon=”icon: arrow-circle-right”]Click here to find out more about F-Secure[/su_button]

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Copyright: Security Buyer

ASIS UK Launches “Security is You(th)” Hackathon

ASIS International UK has launched Security is You(th), an initiative designed to engage students and early-career professionals…
Image provided by Veeam

AI and Ransomware: Cutting Through the Hype

Rick Vanover, Vice President Product Strategy, Veeam discusses how It might be the great paradox: Artificial Intelligence (AI)….
Copyright: Security Buyer

AmiViz Partners with Titania

AmiViz announced a strategic distribution agreement with Titania. This collaboration underscores a shared commitment to enhancing…
Oil and Gas

Navigating Africa’s Oil & Gas Industry

A comprehensive analysis of security strategies in Africa’s oil and gas industry, covering physical, cyber, and remote surveillance measures.
blackhat

Black Hat Europe Starts Soon

Black Hat Europe starts Monday and now is the perfect time to start planning your experience. With a full lineup of Keynotes…

VIVOTEK’s All-in-One Software Boosts Operational Efficiency for Enterprises

As demand for high-efficiency security systems rises among large enterprises, the global leading…
Assa Abloy website

WTC Amsterdam enhances security and efficiency with digital access solution

The World Trade Center (WTC) Amsterdam, home to over 300 companies, has upgraded its building security with a streamlined, digital access solution from ASSA ABLOY.
John Maddison website

Fortinet launches Lacework FortiCNAPP to enhance cloud-native security

In an advancement in cybersecurity, Fortinet has announced Lacework FortiCNAPP, providing organisations with visibility and security.
GITEX Global 2024 website

GITEX GLOBAL 2024: AI revolution drives strategic tech innovation

GITEX GLOBAL 2024 concluded on Friday, showcasing artificial intelligence (AI) as a transformative force driving business and economic growth
Scroll to Top