Chinese hackers compromising military and gov’t entities around South China Sea, report finds

At least eight government and military entities in the South China Sea have been compromised in recent years by a group allegedly aligned with Chinese interests, a new report has found.

For nearly five years, hackers compromised and repeatedly regained access to systems used by the governments, according to researchers from Bitdefender. The report does not say which countries had systems breached or whether they were already aware of the incidents before Bitdefender investigated them. 

The activity was connected to a previously unknown threat actor, which they named Unfading Sea Haze, but noted that the “targets and nature of the attacks suggest alignment with Chinese interests.” The primary goal of the campaign, they said, appears to be espionage.

The South China Sea is a hotly contested area where China has encroached on territorial claims made by Vietnam, the Philippines, Malaysia, Indonesia and Taiwan. 

While the hackers’ choice of targets related to the disputed area points to Beijing, there are other elements suggesting a connection to China, namely the use of various Gh0st RAT variants — a tool popular with Chinese actors and used profusely in espionage campaigns by Beijing government hackers.

Bitdefender said it struggled to know how the hackers initially gained entry to some systems because many of the attacks began at least five years ago, but they confirmed at least one method: spearphishing emails.

These emails, some of which were sent as recently as May 2023, had malicious documents attached that installed a backdoor onto victim systems, allowing the hackers to return whenever they chose. Once inside, the group used several tools to expand their access to a network and often took over administrator accounts to give them further access. 

The hackers also deployed several other types of malware to evade detection and collect browser data like passwords. 

A ‘proxy’ army

The Bitdefender research adds to a growing body of knowledge around China’s extensive, nearly decade-long hacking campaign on targets across Southeast Asia and the Pacific. 

Another report published on Wednesday by Google-owned cybersecurity firm Mandiant highlighted China’s use of stolen and leased proxies, like home office routers, all over the world. 

According to Mandiant’s researchers, these networks are a key component of the work of Volt Typhoon – a Chinese hacking campaign that has targeted critical infrastructure used by the U.S. military. 

Mandiant’s research highlighted that the use of compromised systems like small office and home office routers located near a potential victim “brings a new facet to this issue, as the owners of this equipment may become unwitting enablers of serious spycraft.”

The researchers said it was part of a much larger effort by Chinese actors to grow their army of proxies known as “ORB networks” — which stands for operational relay box networks — for espionage operations. 

ORB networks, they said, are akin to botnets and are made up of virtual private servers (VPS), as well as compromised Internet of Things (IoT) devices, smart devices, and routers that are often end-of-life or unsupported by their manufacturers.

Michael Raggi, Mandiant principal analyst and the author of the report, said in a statement that ORB networks are “one of the major innovations in Chinese cyber espionage that are challenging defenders.” 

“They’re like a maze that is continually reconfiguring with the entrance and the exit disappearing from the maze every 60 - 90 days. In order to target someone, these actors may be coming from a home router right down the street. It’s not unusual for an entirely unwitting person’s home router to be involved in an act of espionage,” he said. 

Mandiant Chief Analyst John Hultquist added that Chinese cyber espionage “was once noisy and easily trackable.” 

“This is a new type of adversary,” he said.