China appears to be targeting malware at countries involved in the dispute over South China Sea national boundaries, according to findings from F-Secure.
The discovery of the malware follows a ruling by the Permanent Court of Arbitration in The Hague over China's territorial claims to most of the South China Sea in a case brought by the government of the Philippines.
The international tribunal ruled against China's claim, but China's foreign ministry rejected the judgement and insisted that the decision is "null and void and has no binding force".
Now, in a seemingly related incident, F-Secure has uncovered a remote-access trojan that was widely deployed before the 12 July ruling by the court and allows its controllers to extract data from infected machines.
The campaign seems to have been targeted at the Philippines, and the malware, dubbed NanHaiShu by F-Secure, appeared to make use of code and infrastructure associated with China.
Specifically, the targets included the Department of Justice of the Philippines, the organisers of the Asia-Pacific Economic Cooperation Summit and an international law firm representing one of the involved parties.
"This APT [advanced persistent threat] malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea," said Erka Koivunen, a cyber security adviser at F-Secure.
"Not only are the targeted organisations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings."
F-Secure has picked up samples of NanHaiShu in the wild for a couple of years. The malware is propagated via targeted spear-phishing attacks, and is included as an attachment rather than exploiting security flaws in operating systems and Adobe software to plant it more surreptitiously on compromised systems.
"The attached file contains a VBA [Visual Basic for Applications] macro that executes an embedded JScript file. It is likely that the threat actor knew the targets use VBA macros in their business environment, since the attack only works if the default security setting in Microsoft Office is modified to allow macro execution," said the F-Secure report (PDF).
"Once installed on a machine in the target network, NanHaiShu sends information from the infected machine to a remote command-and-control server."
This latter code has been publicly available in a blog post from the Chinese Software Developer Network website since early 2005.
The command-and-control structure also points to China, shifting from US-hosted IP addresses to China in October 2015.
"Our technical analysis indicates a notable orientation towards code and infrastructure associated with developers in mainland China," said F-Secure.
"In addition, we also consider it significant that the selection of organisations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government."
The dispute in the South China Sea has been simmering for some time, but was sent to the Court of Arbitration in December 2014. China claims almost all of the South China Sea based on historic precedent, but this is rejected by other nations that border the waters.
The Chinese government has claimed various islands in the South China Sea in recent years, and built artificial islands to cement its claims. However, the court ruled that these claims had no merit in well-established maritime law.
Google will keep its eyes on users in other ways
Tesco wrangling with FCA over size of fine
Equinox's Dave Millett explores how phone, mobile and broadband could be affected by a no-deal Brexit
Dust storm on Titan only the third Solar System body where such storms have been observed