Cyber Attack – Suspected Chinese malware used to spy on PH gov’t – security firm

CNN PH – Metro Manila (CNN Philippines) — The maritime dispute in the South China Sea has been decided by the arbitration court in favor of the Philippines — but now it seems the sea spat has been taken to cyber space.

Defense News Daily ( )

RAT Cyber Attack2

Finland-based web security company F-Secure claimed on Thursday it has found a malware targeting the confidential information of government and private organizations, including the Philippines’ Department of Justice.

RAT Cyber Attack

The organizers of the Asia-Pacific Economic Cooperation (APEC) Summit held in Manila last November and an unnamed prominent international law firm, which represented Philippines during the arbitration case, were not spared from the cyber security attack.

The malicious program dubbed “NanHaiShu” (南海鼠) translates to “South China Sea rat” in English. F-Secure suspects it to be of Chinese origin.

The Remote Access Trojan (RAT) is disguised as an innocent file, usually sent through an email. But once opened, it releases a virus into the victim’s computer, gathering and sending back information to the attacker.

F-Secure said the attacks all pointed to be politically-motivated, considering the timing of the attacks.

“They occurred either within a month following notable news reports related to the dispute, or within a month leading up to publicly-known political events featuring the said issue,” F-Secure said in a published 16-page whitepaper.

F-Secure said it stumbled upon the NanHaiShu malware when it explored the web security environment ahead of the Manila APEC Summit. They traced the malware’s history and found variants that coincided with developments in the dispute and milestones in Manila’s arbitration case against Beijing. The recorded attacks spanned late 2014 to March 2016.

F-Secure Threat Intelligence Team Senior Manager Mina Aquino said on Friday that based on organizations targeted, the attacker was most likely the Chinese government.

Related: Ex-SolGen: PH’s case vs. China may have done more harm than good

Was confidential Philippine data compromised?
Aquino said several targets of the “cyber espionage” attack were successfully breached.

“The attackers were able to gain access to confidential information — that includes documents or could-be political secrets,” she said.

NBI on it
National Bureau of Investigation Cybercrime Division Chief Ronald Aguto Jr. said they are looking into the published report. Aguto only found out about the reported threat after CNN Philippines asked him for comment.

CNN Philippines has also asked the Chinese Embassy for comment. It has yet to respond.

Aquino said her team, composed of three Filipinos and three Finns, felt strongly about the case and they are out to find out who was truly behind the cyber attacks.

JC Gotinga – CNN PH

What is R.A.T

Remote Access Trojans (RATs) provide cybercriminals with unlimited access to infected endpoints. Using the victim’s access privileges, they can access and steal sensitive business and personal data including intellectual property, personally identifiable information (PII and patient health information (PHI). While automated cyber-attacks (e.g. Man-in-the-Browser) allow cybercriminals to attack browser-based access to sensitive applications, RATs are used to steal information through manual operation of the endpoint on behalf of the victim. Most Advanced Persistent Threat (APT) attacks take advantage of RAT technology for reconnaissance, bypassing strong authentication, spreading the infection, and accessing sensitive applications to exfiltrate data. RATs are commercially available (e.g. Poison Ivy, Dark Comet) and can be maliciously installed on endpoints using drive-by-download and spear-phishing tactics.

Organization should specifically address RATs in their enterprise defense strategy at the endpoint layer. The risk is especially high when RAT infection occurs, as the detection of RATs in run-time is extremely difficult to do.

Defense News Daily and Calriger Cyber Center

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: