China’s cyber aggression and the South China Sea dispute

Image Source: Getty

China’s exertion of authority over the South China Sea (SCS) in recent years has resulted in tensions with resident claimant states like Malaysia, the Philippines, and Vietnam. While traditionally, military coercion has been at the forefront of Chinese grey-zone tactics, in the last few years, it has deployed a more covert but increasingly potent tool, cyber warfare, to intimidate, influence, and manipulate the SCS claimant states.

Chinese cyber threat actors and the South China Sea factor

For the People’s Liberation Army, the move towards operationalising cyber operations in the SCS is not a sudden development; it results from years of focusing on information warfare and building technological expertise. China commonly employs four types of cyber-attack tactics—Distributed Denial-of-Service (DDoS) attacks, defacement of websites and digital signage, industrial control systems attacks, and ransomware attacks—each exhibiting distinct characteristics. Currently, the cyber landscape hosts several cyber threat groups, such as APT40, APT41, Mustang Panda, and Naikon, all renowned for targeting Southeast Asian countries involved in SCS disputes. However, recent research indicates that, as tensions in the contested region have escalated, several new cyber groups linked to Chinese interests have also emerged and are actively engaging in cyber operations, particularly against SCS claimant countries, posing serious cybersecurity threats. These include Cluster Alpha, Cluster Bravo, Cluster Charlie, Unfading Sea Haze, and Earth Longzhi.

China commonly employs four types of cyber-attack tactics—Distributed Denial-of-Service (DDoS) attacks, defacement of websites and digital signage, industrial control systems attacks, and ransomware attacks—each exhibiting distinct characteristics.

A report released by Sophos examined a series of cyber intrusions for two years by Chinese nation-state hackers (Cluster Alpha, Cluster Bravo, and Cluster Charlie) targeting a high-level Southeast Asian government department, searching for information about the country’s strategy concerning the contested SCS. The hackers tried collecting documents with file names of intelligence value, including military documents related to strategy in the SCS. Similarly, threat actors like Unfading Sea Haze have reportedly carried out a series of cyberattacks on eight military and government organisations in countries surrounding the SCS. Earth Longzhi, a subgroup of threat actor APT41, has been actively targeting multiple Southeast Asian countries, specifically other SCS claimants, since its emergence in 2020.

Besides, new entrants like the Chinese advanced persistent threat actor Salt Typhoon, which recently became famous for its cyberattacks against the United States (US), have also been targeting Southeast Asian nations, including the Philippines, Vietnam, Malaysia, and Indonesia, since 2023, primarily attacking their telecommunication sectors.

Table 1: Chinese Threat Actors’ Activities

Source: Authors’ own

Conflicts in the maritime and cyber domains go hand-in-hand

The intensification of territorial disputes in SCS in recent years has led to a notable escalation in cyberattacks targeting SCS countries. China’s cyber operations often aim to attack the targeted country psychologically, i.e., it uses or threatens cyber forces to shape adversaries’ decision-making processes. One of China’s strategies for shaping the information environment is swaying public opinion to support and further China’s political objectives. A prime example of this strategy is when Chinese-linked hackers reportedly created an audio deepfake of Philippine President Ferdinand Marcos Jr instructing the military to take action against China. The aim was to stir tensions and make it seem like the Philippines was preparing for conflict, although no such directive had been issued. The new cyber tactics highlight Chinese cyber hackers’ emphasis on integrating advanced technologies, such as artificial intelligence.

One of China’s strategies for shaping the information environment is swaying public opinion to support and further China’s political objectives.

Among SCS claimant countries, the Philippines and Vietnam face the most heat from Chinese cyberattacks. This is due to the strong positions they have taken in asserting their sovereignty and territorial integrity, making them frequent targets of Chinese cyber-operations. A recent report by Resecurity, a US-based cybersecurity solutions firm, highlighted a 325 percent spike in cyberattacks in the Philippines in early 2024 compared to late 2023. The methods included data breaches (55 percent), misinformation campaigns (35 percent), and DDoS attacks (10 percent), with sensitive information leaks causing significant public concern. Philippine law enforcement, ministries, and universities were hit the hardest during this surge, coinciding with rising SCS tensions.

While cyber threats have increasingly become part of the Chinese playbook, their application in the SCS can be traced to almost a decade ago. In 2012, during the Scarborough Shoal and Spratly Islands standoff, a confrontation between Philippine vessels and Chinese patrols sparked a cyber conflict. Following the event, hackers from China defaced the University of the Philippines website, replacing it with a map showing the contested shoal labelled in Chinese characters. The conflict moved beyond one-sided coercion into a retaliatory cycle where both China and the Philippines engaged in cyber defacements against each other.

In 2019, APT10, another Chinese cyber espionage group active since 2009, deployed two specific types of malware targeting government and private organisations in the Philippines. Concurrently, the Analytics Association of the Philippines found Chinese-origin scripts embedded in major Philippine government websites, including the presidential office and national police, designed to intercept data and monitor activity. These attacks resulted from the conflict between the two countries at the Sabina Shoal in the Spratly Islands in 2019.

In 2017, the hacking group 1973CN, suspected of ties to Chinese interests, conducted cyber espionage against Vietnamese organisations by using phishing emails linked to previously identified Chinese malware and servers.

Besides the Philippines, Vietnam has attracted the attention of Chinese hackers, particularly during heightened SCS tensions. In 2017, the hacking group 1973CN, suspected of ties to Chinese interests, conducted cyber espionage against Vietnamese organisations by using phishing emails linked to previously identified Chinese malware and servers. These developments coincided with China’s threats against Vietnam’s outposts in the Spratly Islands over contested drilling activities. In 2020, another group, Pirate Panda, targeted Vietnamese government officials with phishing emails disguised as holiday event invitations. These attacks aimed to steal sensitive data by exploiting Vietnam’s national holidays, reflecting a focused effort to gather intelligence on Vietnam’s SCS stance. This attack came amid heightened tensions over the disputed Paracel Islands in SCS, with both nations claiming rights to the region.

These attacks demonstrate that conflicts in the maritime and cyber domains go hand-in-hand. They also show China’s ability and willingness to leverage cyber capabilities to further its geopolitical objectives in the region.

Off the cyber radar, the case of Malaysia  

As highlighted, while most countries share maritime disputes with China, not everyone attracts the same attention. For example, Malaysia has remained off the Chinese cyber radar by adopting a different diplomatic path while continuing to invest in defensive cybersecurity. According to the National Cyber Security Index, Malaysia is the most cyber-competent nation in Southeast Asia, scoring 79.22 out of 100, compared to Vietnam’s 36.36 and the Philippines’ 63.64.

Malaysia’s strong public-private partnerships foster effective information sharing and allow for a proactive approach to emerging threats.

This was possible due to specific steps taken by the country. For instance, Malaysia’s centralised agency, National Cyber Security Agency (NACSA), unifies cybersecurity efforts by coordinating between the public and private sectors. Additionally, Malaysia’s strong public-private partnerships foster effective information sharing and allow for a proactive approach to emerging threats. The country also prioritises public awareness programs to ensure citizens and businesses understand cybersecurity risks, creating a culture of vigilance. Apart from investing in strengthening the country’s cyber defences and having claims in SCS, its uniquely positioned diplomatic approach and its avoidance of confrontations with China have worked in its favour, helping Malaysia shield its economic ties and keep itself relatively out of sight. The differences emphasise that the conflicts in the two domains are correlated.

While Southeast Asian countries have responded to this growing wave of cyber threats by strengthening their cybersecurity frameworks, increasing regional cooperation, and seeking international support, countries like the Philippines and Vietnam have remained at risk due to their cybersecurity vulnerabilities and firm stance on sovereignty. Therefore, to offset the increasing effects in the cyber domain, the vulnerable countries must do more, paying particular attention and building their defensive and offensive cyber capabilities. Drawing on the practices from Malaysia, Vietnam and the Philippines could design a more resilient, adaptive, and unified approach to cybersecurity in the face of intensifying Chinese cyber aggression.

Abhishek Sharma is Research Assistant with the Observer Research Foundation’s Strategic Studies Programme, New Delhi.

Ishanya Sharma is Research Intern at Observer Research Foundation, New Delhi.

• International Affairs
• Cyber and Technology
• China
• The Pacific, East and Southeast Asia
• cyber defense
• cyber espionage
• cyber intrusions
• cyber threats
• cyberattacks
• cybersecurity
• Earth Longzhi
• hacking
• misinformation campaigns
• Mustang Panda
• Naikon
• Salt Typhoon
• territorial disputes
• Unfading Sea Haze

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.

PREV NEXT