A US security company says analysis of software and infrastructure used by the hackers of the court website show it was infected with malware by someone in China. Photo: SCMP Pictures

‘Chinese cyberspies’ hack international court's website to fish for enemies in South China Sea dispute

The hacking incident happened in July as the Philippines challenged China’s claim to more than 80 per cent of the South China Sea in Permanent Court of Arbitration in The Hague

In the middle of a weeklong hearing on a South China Sea territorial dispute, the website of the Permanent Court of Arbitration in The Hague went offline – reportedly infected with malware by someone in China.

Whenever you see island-dispute issues flare up you also see cyberactivities spike as well
Tobias Feakin, director of Australia's International Cyber Policy Centre

The incident happened in July as the Philippines challenged China’s claim to more than 80 per cent of the South China Sea – an assertion that Manila said encroached on its exclusive economic zone.

Based on an analysis of the software and infrastructure used, the site was infected with malware by someone in China, according to ThreatConnect, a US security company. China did not take part in the Hague hearing.

Alongside the increased presence of coastguard and military ships and planes, cyberespionage is emerging as a new front in the wrangling over the South China Sea – an artery for global trade that straddles the Indian and Pacific oceans.

China regularly uses its coastguard and even fishing vessels to warn away the boats of other countries.

Infographic: the scale of South China Sea reclamation projects

The disputes have pulled in the US, which patrols the waters in the name of navigational freedom; most recently it has reportedly been considering sailing warships into the 12-nautical-mile exclusion zone around the islands that China is building.

The Chinese aren’t going to shut down their cyberespionage operations ... So they are most likely going to double down on traditional intelligence collection
Dmitri Alperovitch, co-founder of security company CrowdStrike

“Whenever you see island-dispute issues flare up you also see cyberactivities spike as well,” said Tobias Feakin, director of the International Cyber Policy Centre at the Australian Strategic Policy Institute in Canberra.

“If it is being used in coordination with the prodding that the Chinese do in a physical way, it surely shows you see a strategic advantage in the use of that power.”

The smaller economies of Southeast Asia are vulnerable to hacking, given the lack of spending on cyberdefence by some countries that rely on remittances from thousands of their citizens working overseas to propel growth, and a reluctance to report breaches of government security.

The one protection may be how dated or incomplete networks are, with a reliance on paper files in some far-flung areas.

Southeast Asian governments and companies are 45 per cent more likely to be targeted than the average for the rest of the world, security provider FireEye said in a recent report.

While President Xi Jinping agreed last month with President Barack Obama to broad principles to stop the theft of corporate secrets, the yet-to-be-developed rules will cover only the US and China and will not be extended to traditional intelligence collection.

“The Chinese aren’t going to shut down their cyberespionage operations,” said Dmitri Alperovitch, co-founder and chief technology officer of security company CrowdStrike.

“So they are most likely going to double down on traditional intelligence collection.”

In The Hague, the Philippines was seeking to enlist international law to deter China’s expansion in the South China Sea.

Hackers embedded the court of arbitration’s webpage on the case with code that infected the computers of visitors to the page, according to ThreatConnect. That left diplomats, lawyers and journalists interested in the case at risk of information theft, plus their wider organisations. “It’s like catching fish with a net,” said Rich Barger, ThreatConnect’s chief intelligence officer.

“I dip a big net into the ocean, I collect fish over the course of a few hours, and then I have the option of pulling out a few targeted fish that I wanted to have.”

The website had been unavailable for a short period in July owing to technical problems, Gaelle Chevalier, a case manager at the court of arbitration, adding “We have no information about the cause of the problems.”

The Philippine President Benigno Aquino’s deputy spokesperson, Abigail Valte, who was at The Hague, said she heard about the attack. “We were surprised,” Valte said.

There are other signs of cyberattacks on countries at times of tension with China.

Read more: Defiant China moves second oil rig closer to Vietnam, near three other drilling platforms

When China dragged an exploration oil rig into contested waters last year, it led to deadly anti-China protests in Vietnam and clashes at sea between coastguard boats. There was also an increase in cyberattacks on Vietnamese government targets, CrowdStrike said.

Neither China’s foreign ministry nor the defence ministry responded to questions about alleged Chinese involvement in the breach of the court of arbitration or Vietnamese government websites.

Officials regularly claim China is a victim of cybersecurity breaches and have repeatedly denied being the source of hacking of the US and other countries.

The foreign ministry has also argued that its island-building programme in the South China Sea is legitimate because the reefs are its sovereign territory, and that the construction is for peaceful purposes.

Vietnam has seen a rise in cyberattacks on government sites with more than 3,000 attacks that have defaced the sites and more than 5,000 malware attacks in the first half of the year, said its information security authority.

Hackers were found to have used internet protocol addresses based in countries including China, the US and Russia, the Vietnamese authority said.

“Whenever there has been a vital political, economic or social event, such as when the South China Sea disputes get heightened and complicated, attacks on government agency websites, especially those with a domain of, were seen to rise in volume, scope and mode,” it said.

CrowdStrike’s claims tally with those of FireEye, whose Mandiant division alleged in February 2013 that China’s military might be behind a group that had hacked at least 141 companies worldwide since 2006.

After the report was published, the US issued indictments against five military officials who were alleged members of that group, known as Advanced Persistent Threat 1.

In April, FireEye identified a group named APT 30, which it said had spent a decade targeting governments, the military and corporations in Southeast Asia. It said software code and language were among indicators the software used in attacks was developed in China.

ThreatConnect has identified a group of hackers called Naikon APT, which it said was backed by China’s People’s Liberation Army. Known as unit 78020, the group conducted cyberespionage against Southeast Asian targets, ThreatConnect said in a report published in September.

While China was viewed as the most active of the region’s cyberespionage actors, other countries were also developing capabilities, Alperovitch said. “But the Chinese have been in this game for 15 years, so they are head and shoulders above everyone else.”