China-Linked Cyber Group Conducts Espionage Against South China Sea Nations

A new cyber threat actor, suspected to have ties to China, has been targeting military and government organizations in the South China Sea nations since 2018, according to a report by Romanian cybersecurity company Bitdefender.

The threat actor, named “Unfading Sea Haze” by Bitdefender researchers, appears to be operating in alignment with China’s geopolitical interests, with a focus on espionage. The researchers published their findings on May 22, noting the group’s sophisticated arsenal of custom malware and tools. One of the techniques used by Unfading Sea Haze overlaps with those employed by APT41, a well-known China-backed espionage group.

“While no other overlaps with APT41’s known tools were identified, this single similarity suggests shared coding practices within the Chinese cyber threat scene,” the report stated. APT41 is one of several known Chinese Advanced Persistent Threats (APTs) that have targeted Western institutions, companies, and governments. In 2020, five Chinese nationals from APT41 were indicted by the FBI for hacking campaigns aimed at stealing trade secrets and sensitive information from over 100 entities worldwide.

Since 2018, Unfading Sea Haze has targeted at least eight victims, primarily military and government entities. The group has repeatedly regained access to compromised systems using spear-phishing emails with malicious ZIP archives. These archives contained LNK files disguised as regular documents, which executed malicious commands when clicked.

Some ZIP archive names used by the group included “Data,” “Doc,” and “Startechup_fINAL.” More recent names from March 2024 included misleading titles like “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102” and “Presidency of Barack Obama,” along with names posing as installers, updaters, and documents of Microsoft Windows Defender.

After gaining access, Unfading Sea Haze used a combination of custom and off-the-shelf tools to collect data. These tools included a keylogger named “xkeylog,” a browser data stealer targeting popular web browsers, and a tool monitoring the presence of portable devices on compromised systems.

The group also collected data from messaging apps like Telegram and Viber, and used the RAR compression tool for manual data collection. This blend of tools and manual data extraction highlights a targeted espionage campaign focused on acquiring sensitive information.

The group went undetected for over five years, demonstrating a sophisticated approach to cyberattacks. Bitdefender publicized their findings to help the security community detect and disrupt such espionage efforts. They recommended prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community to mitigate risks posed by Unfading Sea Haze and similar threat actors.

China is currently in territorial disputes with Brunei, Malaysia, the Philippines, Vietnam, and Taiwan over reefs, islands, and atolls in the South China Sea. A 2016 international ruling rejected Beijing’s “Nine-dash line” claim to about 85 percent of the South China Sea’s 2.2 million square miles. In February, the Philippines announced that hackers based in China had attempted to break into the country’s government websites and email systems.