September 29, 2017 |

F-Secure links advanced malware threat to South China Sea cyber attacks

The use of the Remote Access Trojan coincides with events leading to the recent ruling in the Philippines vs. China case. Berkshire, UK – 4th August 2016: F-Secure Labs has uncovered a strain of malware that appears to be targeting parties involved in the recently decided Philippines vs. China case regarding the two countries’ South […]

The use of the Remote Access Trojan coincides with events leading to the recent ruling in the Philippines vs. China case.

Berkshire, UK – 4th August 2016: F-Secure Labs has uncovered a strain of malware that appears to be targeting parties involved in the recently decided Philippines vs. China case regarding the two countries’ South China Sea dispute. The malware, dubbed NanHaiShu by F-Secure researchers, is a Remote Access Trojan that allows attackers to exfiltrate data from infected machines. The malware and its use leading up to the 12th July case ruling are detailed in a new F-Secure report, NanHaiShu: RATing the South China Sea.

 

“This APT (advanced persistent threat) malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea,” says Erka Koivunen, cyber security advisor at F-Secure. “Not only are the targeted organisations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings.”

 

Targeted organisations identified in the report include the Department of Justice of the Philippines, which has been involved in the case filed by the Philippines against China; the organisers of Asia-Pacific Economic Cooperation (APEC) Summit, which was held in the Philippines in November 2015; and a major international law firm.

 

NanHaiShu is spread via carefully crafted spear phishing emails that contain industry-specific terms relevant to each of the targeted organisations, indicating the emails were deliberately designed with the exact targets in mind. The email’s attached file contains a malicious macro that executes an embedded JScript file. Once installed on a machine, NanHaiShu sends information from the infected machine to a remote server, and is able to download any file the attacker wishes.

 

The technical analysis exposed the malware’s notable orientation towards code and infrastructure associated with developers in mainland China. Owing to that, and to the fact that the selection of organisations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government, F-Secure researchers suspect the malware to be of Chinese origin.

 

“If in fact our researchers’ suspicions are correct, it could be that the Chinese were using cyber espionage to gain better visibility into the legal proceedings,” says Koivunen.

 

For more details see the full report, NanHaiShu: RATing the South China Sea.

 

-ends-

 

 

 

More information:

NanHaiShu: RATing the South China Sea

NanHaiShu: Threat Intelligence Brief on Intelligence Gathering Attacks

 

About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.

 

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

f-secure.com twitter.com/fsecureukteam | facebook.com/f-secure

 

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland

E: geoff.dorrington@f-secure.com

T: 01753 376592

 

 ###

Latest Events
Press Archives
Select Year

Latest Press Releases

November 16, 2017

DNS now your First Line of Defense against Cyber Attacks

F-Secure is partnering with the Global Cyber Alliance to step up the fight against malicious URLs with a secure DNS service that companies and individuals can use for free. Buckinghamshire, UK  – November 16, 2017: Every single day, F-Secure Labs discovers nearly 30,000 malicious URLs used in phishing attacks, ransomware campaigns, and other cyber attacks. […]

October 25, 2017

Study Shows 30% of CEOs Have Been “Pwned,” Passwords Exposed

Email exposure study also shows 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases. Buckinghamshire, UK – October 25, 2017: Nearly one in three major CEOs has been “pwned” using their company email address, according to a new F-Secure study of CEO email exposure. In […]

October 10, 2017

F-Secure, University of Helsinki bring back Cyber Security Base

F-Secure and the University of Helsinki re-launch their cyber security MOOC following the success of last year’s offering. Buckinghamshire, UK – October 3, 2017: Cyber Security Base with F-Secure, an online course series developed by the University of Helsinki and F-Secure, is back for another year. Over 50,000 people from the United States, Finland, the […]

September 29, 2017

F-Secure wins AV-TEST Best Protection award for fifth time

Award reaffirms that companies which choose F-Secure’s new version of Business Suite will have proven best protection. Berkshire, UK – 1st February 2017: F-Secure has won the Best Protection award from the AV-TEST Institute for superior protection technology throughout 2016. The win makes F-Secure a five-time winner of the award and it’s the only company […]

%d bloggers like this: