Security firm: Suspected Chinese malware spying on PH gov’t, possibly due to maritime dispute

The Philippines won over China in the dispute over the West Philippine Sea after The Hague ruling was released on July 12, but China rejected the ruling and even recently threatened to imprison illegal fishers caught in Scarborough Shoal. Now, a security firm revealed that the dispute has extended to cyber space.

F-secure, a web security company based in Finland, said on Thursday, August 4, that it has found a malware gathering confidential data from government and private organizations, including the Department of Justice, CNN Philippines wrote.

The cyber security attack also hit the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit in Manila last November, as well as the international law firm that served as the Philippines’ legal counsel during the arbitration case against China.

F-Secure further revealed that the program is called “NanHaiShu” (南海鼠), which means “South China Sea rat” in English, causing the firm to suspect that the malware came from China.

The RAT (Remote Access Trojan) looks like an innocent file attached via email, but once opened, it unleashes a virus all in the victim’s computer, collecting and sending data back to the attacker.


According to F-Secure, the cyber attacks seemed to have a political color to them based on when the attacks were staged.

The firm’s 16-page whitepaper said, “They occurred either within a month following notable news reports related to the dispute or within a month leading up to publicly-known political events featuring the said issue.”

Here’s the PDF copy of the whitepaper, based on the link provided by CNN.

F-Secure said they found out about the NanHaiShu malware while assessing the web security environment before the Manila APEC Summit opened last year. The malware’s history showed variants that coincided with the developments and milestones in the maritime dispute between China and the Philippines, with the malware being used from late 2014 to March 2016.

Mina Aquino, F-Secure Threat Intelligence Team Senior Manager, said that they concluded the Chinese government was behind the cyber attacks based on the targets. She added that the attacks succeeded.

“The attackers were able to gain access to confidential information – that includes documents or could-be political secrets,” Aquino said.

National Bureau of Investigation Cybercrime Division Chief Ronald Aguto Jr. said they are studying the security firm’s report, although he only found out about the cyber threat after CNN Philippines reached out to him for comment.

The news site also contacted the Chinese Embassy to get their side, but they have not responded as of writing.


68 PH websites attacked

Philippine Star and Interaksyon both reported about the increase in the cyber attacks targeting Philippine government web sites after The Hague ruling on the West Philippine Sea dispute.

Interaksyon wrote that ‘a highly-placed Duterte administration official” revealed that not less than 68 national and local government websites were hit in the attack, with the main targets being the Department of National Defense and Malacañang’s Presidential Management Staff.

The official also disclosed that the attacks began in the afternoon of July 12, when the Permanent Court of Arbitration’s ruling was released, and the attacks increased again on July 13.

The attacks that knocked the websites offline were categorized as Distributed Denial of Service (DDoS) attacks. This meant that the target sites are flooded with incoming traffic from several sources, sometimes even reaching the thousands. The sudden increase in traffic overwhelms the web server’s capacity to process requests, eventually confusing the website as to which requests are legitimate and which ones are from the attackers.

Among the affected government sites were the Department of National Defense, Presidential Management Staff, Bangko Sentral ng Pilipinas, Department of Foreign Affairs, MMDA, Department of Interior and Local Government, and NDRRMC. The new Department of Information and Communications Technology was also targeted.

Philippine Star wrote that even the PCA website was also attacked with a malware by “someone from China” in July 2015, according to US security company ThreatConnect Inc. The Star’s report then cited a Bloomberg report about the attack on PCA during the weeklong hearing about the maritime dispute.

ThreatConnect Inc. said that the PCA’s web page on the sea row was embedded with a code that infected anyone who visits the page, posing a risk of information theft to lawyers, diplomats, and journalists interested in the case.

The Chinese foreign ministry and the defense ministry did not respond to Bloomberg’s faced questions over the alleged attack on the PCA from China.

Sources: (,,,,


Leave a Reply

Your email address will not be published. Required fields are marked *

Shoot on Sight Order

‘Shoot on sight’ order is murder – Lacson

Dutertes List of Drug Protectors

Busted: Judge who died in 2008 named in Duterte’s list of drug protectors! Was the list really validated?