Cyber Incident Victim: Department of Justice of the Philippines
Date:
Aug 2016
Location:
Philippines
Summary
A Remote Access Trojan known as NanHaiShu was deployed via spear phishing emails against entities involved in the South China Sea dispute, including the Department of Justice of the Philippines and a related law firm. The malware exploited non-default Microsoft Office configurations through malicious macros, indicating prior reconnaissance by suspected Chinese-origin threat actors. Attackers leveraged geopolitical developments to craft credible lures and concealed malicious traffic using dynamic DNS services to evade detection. The operation demonstrated tailored social engineering, technical adaptation to target environments, and abuse of legitimate infrastructure to facilitate data exfiltration while complicating defensive responses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In 2016, F-Secure Labs documented cyber espionage activity targeting entities involved in the South China Sea territorial dispute, including two governmental organizations and a law firm representing one party. The attackers deployed a Remote Access Trojan called NanHaiShu via spear phishing emails containing malicious Microsoft Office attachments. These emails leveraged social engineering tactics aligned with the geopolitical context to entice recipients into enabling macros that executed the malware. The malware specifically exploited non-default Microsoft Office configurations observed in target environments, indicating prior reconnaissance of victim systems. NanHaiShu functioned as an infostealer designed to exfiltrate sensitive data from compromised devices. Researchers assessed the tool's design and targeting patterns suggested Chinese origin, though no explicit attribution was provided. The campaign operated through 2015, with attack timelines correlating to developments in the maritime dispute. Dynamic DNS services were employed to route malicious traffic through legitimate infrastructure, complicating network detection and disruption efforts.
The attacks demonstrated advanced operational security measures, including macro-based payload delivery tailored to victim software configurations and politically relevant phishing lures. Forensic analysis revealed the malware's capability to establish persistent access, monitor user activity, and harvest documents for intelligence purposes. Microsoft Office macros served as the primary infection vector, consistent with broader threat actor trends shifting toward this technique following Microsoft's default disabling of AutoExec macros in 2012. While the specific data compromised from governmental targets remained undisclosed, the campaign's objective centered on intelligence collection related to the territorial dispute. Security advisories recommended disabling unsigned macros, implementing network traffic monitoring for dynamic DNS anomalies, and enhancing user awareness regarding politically themed phishing attempts. The incident highlighted nation-state actors' continued refinement of social engineering tactics combined with technical exploits against enterprise software environments.