China-Linked Cyber Group Carries Out Espionage Against South China Sea Nations

‘Unfading Sea Haze’ has been targeting military and government organizations in South China Sea countries since 2018, according to Romanian cybersecurity firm.
China-Linked Cyber Group Carries Out Espionage Against South China Sea Nations
A man holds a laptop computer as cyber code is projected on him in this illustration created on May 13, 2017. (Kacper Pempel/Reuters)
Frank Fang

A new cyber threat actor, suspected of ties to China, has been targeting military and government organizations in South China Sea countries since 2018, according to Romanian cybersecurity company Bitdefender.

Bitdefender researchers named the threat actor “Unfading Sea Haze” and noted that its operations are aligned with China’s geopolitical interests, with attacks focusing on espionage, according to a report published on May 22.

“The targets and nature of the attacks suggest alignment with Chinese interests,” the report reads.

The group had created “a sophisticated arsenal of custom malware and tools,” the researchers stated, noting that one of its techniques was found to overlap with that of a well-known China-backed espionage group APT41.

“No other overlaps with APT41’s known tools were identified. This single similarity could be another indication of shared coding practices within the Chinese cyber threat scene,” the report reads.

ATP41 is one of many known Chinese advanced persistent threats (APTs) that have carried out malicious cyber activities targeting Western institutions, companies, and governments. Others have included APT10 and APT40. Currently, five Chinese nationals from APT41 are on the FBI’s wanted list; they were indicted in 2020 on charges relating to hacking campaigns to steal trade secrets and sensitive information from more than 100 companies and entities worldwide.

Unfading Sea Haze has targeted at least eight victims, including mostly military and government targets since 2018, the report states, and it has “repeatedly regained access to compromised systems.”

One method that the group has used to infiltrate target systems is sending spear-phishing emails with malicious ZIP archives.

“These archives contained LNK files disguised as regular documents. When clicked, these LNK files would execute malicious commands,” the report reads.

Some of the ZIP archive names have included “Data,” “Doc,” and “Startechup_fINAL,” according to the report.

The threat group’s attackers began using new ZIP archive names in March 2024, including “Assange_Labeled_an_‘Enemy’_of_the_US_in_Secret_Pentagon_Documents102” and “Presidency of Barack Obama.” Other ZIPs were misleadingly named as installers, updaters, and documents of Microsoft Windows Defender.

After gaining access to targeted systems, Unfading Sea Haze has used “a combination of custom and off-the-shelf tools” to collect data.

One custom tool is a keylogger named “xkeylog” to capture keystrokes on victim machines. Another custom tool is a browser data sealer to target data stored in Google Chrome, Firefox, Microsoft Edge, or Internet Explorer.

A third custom tool allowed Unfading Sea Haze to monitor the presence of portable devices on compromised systems.

“The tool checks for portable devices every 10 seconds. If a WPD or USB is mounted, it gathers details about the device, and sends them using HTTP GET request to an attacker-controlled server,” the report explains.

Unfading Sea Haze has also collected data from messaging apps including Telegram and Viber, according to the report. The group also has used the RAR compression tool to manually collect data.

“This blend of custom and off-the-shelf tools, along with manual data extraction, paints a picture of a targeted espionage campaign focused on acquiring sensitive information from compromised systems,” the report reads.

The threat group went undetected for more than five years, a phenomenon that the report said “is particularly concerning,” and the attackers have “demonstrated a sophisticated approach to cyberattacks.”

The researchers said they publicized their findings on Unfading Sea Haze because they “want to help the security community with the knowledge to detect and disrupt their espionage efforts.”

The report ended with some recommendations on how to mitigate risks posed by Unfading Sea Haze and other similar threat actors. Prioritizing patch management, enforcing strong password policies, monitoring network traffic, and collaborating with the cybersecurity community are among the tips offered by Bitdefender researchers.

China is currently in territorial disputes with Brunei, Malaysia, the Philippines, Vietnam, and Taiwan over reefs, islands, and atolls in the South China Sea. A 2016 international ruling rejected Beijing’s “Nine-dash line” claim to about 85 percent of the South China Sea’s 2.2 million square miles.
In February, the Philippines announced that hackers based in China had tried unsuccessfully to break into the country’s websites and the email systems of the president and government agencies. 
Frank Fang is a Taiwan-based journalist. He covers U.S., China, and Taiwan news. He holds a master's degree in materials science from Tsinghua University in Taiwan.
Related Topics