State-Backed China Hackers Targeting South China Sea Claimants, US Cyber Firm Says


Throughout 2021 Chinese hackers with suspected links to the state have targeted government and private sector organizations across Southeast Asia, especially South China Sea claimants, a U.S. cybersecurity company says in a new report.

In the report released Wednesday, Insikt Group – a team of threat researchers from the cybersecurity firm Recorded Future – said that the South China Sea territorial disputes “very likely constitute another driver of China’s cyber espionage activity.”

Insikt said the hackers also target countries related to projects and countries strategically important to the Belt and Road Initiative (BRI), China’s global infrastructure masterplan.

The researchers identified over 400 victim servers located in Southeast Asia that had communicated with malware families “with likely links to Chinese state-sponsored actors.” A malware family refers to types of malware that have a common base code.

One threat activity group tracked by Insikt, TAG-16, is believed to be tasked with gathering intelligence on South China Sea-related issues.

Compromised organizations included navies, prime minister’s offices, ministries of defense, and ministries of foreign affairs in several countries with a presence in the South China Sea. The top three targeted countries were Malaysia, Indonesia, and Vietnam, the report said.

It predicted that “future activity targeting rival South China Sea claimants is likely to increase” in line with tensions in the area.

The report also highlighted two separate suspected Chinese state-sponsored intrusion campaigns targeting entities in Laos and Cambodia. Both campaigns were likely intended to support BRI objectives, it said.

Victims in these campaigns include the National Committee for Special Economic Zones and National Enterprise Database in Laos and Cambodia’s Sihanoukville Autonomous Port.

All affected countries have been notified about the findings of the report, Insikt told The Associated Press news agency, but those governments have yet to react publicly to the information.

Unrivaled scale and scope

Insikt researchers said Chinese state-sponsored groups have traditionally been highly active in targeting China’s rival claimants in the South China Sea, “with the operational tempo often mirroring increased geopolitical tensions.”

Last April, Vietnam’s National Cybersecurity Control Center said a number of government ministries and organizations had been targeted by a Chinese advanced persistent threat (APT), or state-sponsored group, called Goblin Panda (Cycldek).

Beside Cycldek, there are multiple APTs also conducting cyber espionage activity with reconnaissance and phishing campaigns targeting rival claimants. Insikt’s report said in recent years, a group called APT40 and linked to the Chinese Ministry of State Security’s Hainan State Security Department “has typically targeted maritime and engineering entities, as well as organizations with operations in Southeast Asia or involved in South China Sea disputes.”

“The scale and scope of China’s cyber espionage program remain unrivalled, exemplified by the large number of distinct actors with operational taskings within specific geographic regions,” the report concluded.

This week, Microsoft said in a blog that a U.S. federal court granted its request from its Digital Crimes Unit to seize 42 websites that the China-based hacking group Nickel used to attack organizations in the U.S., as well as around the world.

Nickel, also known under other names such as APT15, Mirage, Vixen Panda, and Ke3Chang, has been active since 2012, carrying out operations to gather intelligence from government agencies, think tanks, and human rights groups.

“Nation-state attacks continue to proliferate in number and sophistication,” Microsoft said.

China has yet to respond to Microsoft’s statement, or to Insikt Group’s report but in the past Beijing has repeatedly denied any involvement, saying hacking attacks are an international issue and China itself is a victim.

China has also accused critics of having “ulterior motives” and “ill intentions.”

Chinese security company ThreatBook on Wednesday released its own report accusing a Taiwan-based organization, GreenSpot, of launching cyberattacks on the Chinese mainland, mainly Beijing and Fujian, said China’s Global Times.

It said that since 2007 GreenSpot has launched large-scale targeted phishing attacks on government agencies, and aerospace and military-related scientific research institutes to steal high-value data and classified information.


Radio Free Asia’s mission is to provide accurate and timely news and information to Asian countries whose governments prohibit access to a free press. Content used with the permission of Radio Free Asia, 2025 M St. NW, Suite 300, Washington DC 20036.

Leave a Reply

Your email address will not be published. Required fields are marked *