August 4, 2016 |

F-Secure Links Advanced Malware Threat to South China Sea Cyber Attacks

The use of the Remote Access Trojan coincides with events leading to the recent ruling in the Philippines vs. China case.

Helsinki, Finland – August 4, 2016: F-Secure Labs has uncovered a strain of malware that appears to be targeting parties involved in the recently decided Philippines vs. China case regarding the two countries’ South China Sea dispute. The malware, dubbed NanHaiShu by F-Secure researchers, is a Remote Access Trojan that allows attackers to exfiltrate data from infected machines. The malware and its use leading up to the July 12 case ruling are detailed in a new F-Secure report, NanHaiShu: RATing the South China Sea.

“This APT (advanced persistent threat) malware appears to be tightly linked to the dispute and legal proceedings between the Philippines and China about the South China Sea,” says Erka Koivunen, Cyber Security Advisor at F-Secure. “Not only are the targeted organizations all related to the case in some way, but its appearance coincides chronologically with the publication of news or events related to the arbitration proceedings.”

Targeted organizations identified in the report include the Department of Justice of the Philippines, which has been involved in the case filed by the Philippines against China; the organizers of Asia-Pacific Economic Cooperation (APEC) Summit, which was held in the Philippines in November 2015; and a major international law firm.

NanHaiShu is spread via carefully crafted spear phishing emails that contain industry-specific terms relevant to each of the targeted organizations, indicating the emails were deliberately designed with the exact targets in mind. The email’s attached file contains a malicious macro that executes an embedded JScript file. Once installed on a machine, NanHaiShu sends information from the infected machine to a remote server, and is able to download any file the attacker wishes.

The technical analysis exposed the malware’s notable orientation toward code and infrastructure associated with developers in mainland China. Owing to that, and to the fact that the selection of organizations targeted for infiltration are directly relevant to topics that are considered to be of strategic national interest to the Chinese government, F-Secure researchers suspect the malware to be of Chinese origin.

“If in fact our researchers’ suspicions are correct, it could be that the Chinese were using cyber espionage to gain better visibility into the legal proceedings,” says Koivunen.

For more details see the full report, NanHaiShu: RATing the South China Sea.

More information:
NanHaiShu: RATing the South China Sea
NanHaiShu: Threat Intelligence Brief on Intelligence Gathering Attacks

About F-Secure

F-Secure is a European cyber security company with decades of experience in defending enterprises and consumers against everything from opportunistic ransomware infections to advanced cyber attacks. Its comprehensive set of services and award-winning products use F-Secure’s patented security innovations and sophisticated threat intelligence to protect thousands of companies and millions of people. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 operators and thousands of resellers.

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd. |

F-Secure media relations

Melissa Michael
+358 45 209 3595

Downloads & other Goodies


Latest Press Releases

March 15, 2018

F-Secure’s Aviation Cyber Security Services Takes Off

F-Secure’s new service combines expertise in aviation and cyber security to help aviation companies protect their most critical assets.

February 28, 2018

F-Secure Introduces Unique Partner-Driven Service to Stop Targeted Cyber Attacks Globally

Channel partners have immense new service opportunities to protect their customers from rising numbers of targeted and fileless attacks with a leading-edge managed endpoint detection and response service.

February 22, 2018

Incident Detection, Email Attacks Continue to Cause Headaches for Companies

F-Secure’s new Incident Response Report points to email inboxes as the weakest link in security perimeters, and finds that companies struggle with quickly and accurately detecting security incidents.

February 5, 2018

F-Secure Continues Strategy Transformation to Serve Cyber Security Needs of Midmarket

To improve strategy execution, the company reorganizes and introduces important new roles to F-Secure’s Leadership Team.

%d bloggers like this: