Chinese cyber spies go ‘fishing’ amid South China Sea dispute

Posted on October 19, 2015

IN THE MIDST of a week-long hearing on a South China Sea territorial dispute, the Web site of the Permanent Court of Arbitration (PCA) in The Hague went offline.

The incident happened in July as the Philippines challenged China’s claim to more than 80% of the South China Sea, an assertion that Manila says encroaches on its exclusive economic zone. Based on an analysis of the software and infrastructure used, the site was infected with malware by someone in China, according to ThreatConnect, Inc., a US security company. China didn’t take part in The Hague hearing.

Alongside the increased presence of coast guard and military ships and planes, cyber espionage is emerging as a new front in the wrangling over the South China Sea, an artery for global trade that straddles the Indian and Pacific oceans. Over the past 18 months China has rapidly built on reefs in the area, butting up against smaller claimants such as Vietnam and the Philippines.

China regularly uses its coast guard and fishing vessels to warn away the boats of other countries. The disputes have pulled in the US, which patrols the waters in the name of navigational freedom -- most recently it has reportedly been considering sailing warships into the 12 nautical mile exclusion zone around the islands China is building.

“Whenever you see island-dispute issues flare up you also see cyber activities spike as well,” said Tobias Feakin, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute in Canberra. “If it is being used in coordination with the prodding that the Chinese do in a physical way, it surely shows you see a strategic advantage in the use of that power.”

Southeast Asia’s smaller economies are vulnerable to hacks, given a lack of spending on cyber defense by some countries that rely on remittances from thousands of their citizens working overseas to propel growth, and a reluctance to report breaches of government security. The one protection may be how dated or incomplete networks are, with a reliance in far-flung areas on paper files.

Southeast Asian governments and companies are 45% more likely to be targeted than the average for the rest of the world, security provider FireEye, Inc. said in a recent report. While Chinese President Xi Jinping agreed last month with US President Barack Obama to broad principles to stop the theft of corporate secrets, the yet-to-be-developed rules will only cover the US and China and won’t extend to traditional intelligence collection.

“The Chinese aren’t going to shut down their cyber espionage operations,” said Dmitri Alperovitch, co-founder and chief technology officer of security company CrowdStrike, Inc. “So they are most likely going to double down on traditional intelligence collection.”

In The Hague, the Philippines was seeking to enlist international law to deter China’s expansion in the South China Sea. Hackers embedded the PCA’s Web page on the case with code that infected visitors to the page, according to ThreatConnect. That left diplomats, lawyers, and journalists interested in the case at risk of information theft, plus their wider organizations.

“It’s like catching fish with a net,” said ThreatConnect chief intelligence officer Rich Barger. “I dip a big net into the ocean, I collect fish over the course of a few hours, and then I have the option of pulling out a few targeted fish that I wanted to have.”

The PCA Web site was unavailable for a short period in July due to technical problems, Gaelle Chevalier, a case manager at the PCA, said via e-mail, adding, “We have no information about the cause of the problems.”

The Philippines’ Deputy Presidential Spokesperson, Abigail F. Valte, who was at The Hague, said she heard about the attack. “We were surprised,” she said.

There are other signs of cyber attacks on countries at times of tension with China. When China dragged an exploration oil rig into contested waters last year, it led to deadly anti-China protests in Vietnam and clashes at sea between coast guard boats. There was a spike in cyberattacks on Vietnamese government targets, according to CrowdStrike.

Neither the Chinese foreign ministry nor the defense ministry responded to faxed questions about alleged Chinese involvement in the breach of the PCA or Vietnamese government Web sites. Officials regularly claim China is a victim of cyber security breaches and have repeatedly denied being the source of hacks in the United States and other countries.

The foreign ministry contends its island-building program in the South China Sea is legitimate because the reefs are its sovereign territory, and that the construction is for peaceful purposes.

Vietnam has seen a rise in cyber attacks on government sites with more than 3,000 defacement attacks and over 5,000 malware attacks in the first half of the year, according to the information security authority in the Ministry of Information and Communications. Hackers were found to have used Internet protocol addresses based in countries including China, the United States, and Russia, it said in an e-mailed response to questions.

“Whenever there has been a vital political, economic or social event, such as when the South China Sea disputes get heightened and complicated, attacks on government agency websites, especially those with a domain of, were seen to rise in volume, scope and mode,” the authority said.

CrowdStrike’s claims jibe with those of FireEye, whose Mandiant division alleged in February 2013 that China’s military may be behind a group that hacked at least 141 companies worldwide since 2006. After the report was published, the United States issued indictments against five military officials who were alleged members of that group, known as Advanced Persistent Threat 1.

In April, FireEye identified a group named APT 30 which it said had spent a decade targeting governments, the military, and corporations in Southeast Asia. It said software code and language were among indicators the software used in attacks was developed in China.

ThreatConnect has identified a group of hackers called Naikon APT which it said is backed by the People’s Liberation Army. Known as unit 78020, the group conducts cyberespionage against Southeast Asian targets, ThreatConnect and Defense Group, Inc. wrote in a report published last month.

While China is viewed as the most active of the region’s cyber espionage actors, other countries are developing capabilities, according to CrowdStrike’s Alperovitch. “But the Chinese have been in this game for 15 years so they are head and shoulders above everyone else.” -- Bloomberg