These tiny islands are at the heart of an uncovered Chinese phishing campaign

Chinese cyber-espionage campaigns frequently coincide with territorial disputes.
Vietnam and China have turned to cyber-espionage in their fight over control in the South China Sea. (Getty Images)

Suspected Chinese hackers are behind a phishing campaign apparently aimed at collecting data about Vietnamese government officials amid an ongoing territorial dispute between the two nations, according to new findings.

A hacking group known as Pirate Panda, which has possible ties to the Chinese government, is trying to trick Vietnamese government officials into clicking on malicious Microsoft Excel documents attached to emails purportedly detailing festivities for Vietnamese holidays, according to research the threat intelligence firm Anomali shared with CyberScoop.

Targeted individuals appear to be located in Da Nang, Vietnam, near a collection of landmasses in the South China Sea known as the Paracel Islands. The area is one of the most hotly contested regions of the South China Sea, with Beijing claiming ownership of much of the waterway. In recent days, Vietnam has said it does not recognize China’s claims over the islands, while China has said that Vietnamese claims to the area are illegal.

In this case, Pirate Panda appears to be using email lures which include itineraries for two Vietnamese holidays, Reunification Day and Labor Day, scheduled for April 30 and May 1, respectively. Malicious Microsoft Excel documents attached to the message are capable of infecting the victims with a malware similar to KeyBoy and ExileRat, which steal files and collect system information from a victims’ computer. The Pirate Panda group has used both tools in the past, Anomali noted.


The use of holidays so near on the calendar as bait may also indicate an urgency to collecting victims’ data, researchers suggested.

“It is possible that the national holidays are being used as a lure, because the threat actors may have an imminent desire for lateral movement and access to data,” the report said.

Technical evidence also suggests the intended victims work in a Vietnamese government data center in Da Nang, based on the contents of the malicious files shared through the email campaign.

Pirate Panda has seized on major news events in recent months to try to target victims. The same group tried using phishing lures highlighting the coronavirus pandemic in February, the security firm CrowdStrike found.

Chinese hackers frequently launch cyber-espionage campaigns against targets related to its territorial standoffs. In 2018, for example, attackers hit U.S. engineering and defense firms which had access to sensitive information related to the South China Sea disputes, such as radar range and how well a system could detect activity underwater — information that could work to Beijing’s advantage.


In recent days, FireEye exposed some suspected Vietnamese government-linked hacking campaigns targeting Chinese government entities in search of information on the coronavirus response in China. Whether that attack is linked to the Pirate Panda operation in any way remains unclear.

Neither China’s Ministry of Foreign Affairs nor Vietnam’s Ministry of Foreign Affairs returned messages seeking comment before press time.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts